Enterprise cybersecurity's lateral movement 'blind spot' [Q&A]

A lot of time, attention, and investment is spent on creating strong perimeters and endpoint defenses to prevent malicious actors from gaining access to corporate networks.

While this is important, organizations also need a network security strategy -- because if attackers do infiltrate a network, the race is on to uncover the malicious activity and quickly resolve the incident.

Every second bad actors lurk undetected gives them the freedom to move laterally across the network to increase the scope of impact and inflict more damage. Peter Manev, co-founder and chief strategy officer of Stamus Networks, believes lateral movement of this nature is a blind spot for many companies. We sat down with him to find out why and to discuss the best practices for enterprise security teams to respond.

BN: What are lateral movement attacks?

PM: Lateral movement is a technique that cyber attackers use to expand their presence and control within a compromised environment. Often, a threat actor will gain initial access onto an endpoint -- through a successful phishing or other social engineering attack, a malware infection, common vulnerabilities and exposures, etc. They then use various tools to obtain credentials and increase privileges, eventually imitating a legitimate user to move through different systems until they find what they're looking for -- which is usually sensitive data or other high-value assets they can compromise for financial gain, to disrupt business operations, or to effectively shut down an organization.

BN: How do they work?

PM: There are typically three phases to lateral movement:

• Reconnaissance -- After gaining initial access to a company network, attackers work to understand where they landed, what kind of freedom they have, and how they can utilize that freedom to meet their objectives. Depending on their findings and the permissions available to them at the initial beachhead, they can then leverage different tools to get to the next stage.
• Credential dumping and privilege escalation -- An attacker cannot move through a network without valid access credentials, so this is where they focus next. Often, they'll use tactics such as credential dumping and keylogging to steal credentials. Once they have valid credentials in hand, they can easily impersonate a user and escalate privileges to move across the environment.
• Gaining access -- This pattern serves as a blueprint for attackers. They repeat the process across the network until they are able to access the targets identified in the reconnaissance phase.

The way cybercriminals go about these steps can greatly impact detection. For example, if their goal is to successfully hit their target as fast as possible, they may not care about being detected, and they'll make a lot of noise on the network -- opportunistic ransomware attacks can do that, for example. On the other hand, if stealth and time is their priority, they will try to remain undetected for months, so they can move laterally across the network to widen the scope of a breach.

Organizations need to put the right network monitoring tools in place so, in either scenario, they can quickly detect a threat and act on it.

BN: What are the biggest risks of lateral movement attacks?

PM: The biggest risk of lateral movement is that it exposes more of an organization’s layout and infrastructure to the threat actor. And, as a cybercriminal's footprint on the network grows, so, too, does the risk and impact of an attack. When done successfully, lateral movement can allow threat actors to shut down operations and severely impact the target's business.

Another important point to consider is that threat actors can purposefully destroy devices to take down an organization's infrastructure and operations. Just recently, a well-known vendor advised customers to replace their physical devices because patching the software vulnerability was not possible. We also recently saw the take down of a major internet service provider that resulted in the permanent destruction of thousands of modems.

In these and other cases, endpoint detection and response (EDR) cannot help companies defend against threat actors. This is why it's so important that organizations implement a layered defense that pairs EDR with network monitoring -- especially on critical infrastructure. Only when they have network visibility can organizations rapidly detect threats -- and this is critical to mitigate the damage that can be done following a successful attack.

BN: Why is lateral movement a blind spot for so many companies?

PM: Expanding on the endpoint challenges we just talked about, a major blind spot is actually monitoring edge or legacy devices where endpoint detection cannot be installed. For example, routers, switches, firewalls, VPN concentrators, virtual infrastructure, gateways, SCADA devices, medical devices, and pretty much a big chunk of the military, industrial, medical, and automotive devices domains. Almost every week, we see critical common vulnerabilities and exposures of these systems being unearthed and disclosed.

A big point to consider is vulnerabilities or breaches that we do not know about or that are not public. Hence, amplifying the already perilous necessity to monitor all communication aspects of critical infrastructures.

Additionally, you cannot protect what you don't know is there. So, you cannot protect and monitor devices you don't know exist in the organization. Often, in customer deployments, we discover devices or even whole networks that are unknown to an organization's security and network teams.

Organizations need to use network-based threat detection and response (NDR) tools to carefully monitor communications among all the devices on the network, giving security teams a complete picture of the network activity. This has three purposes: to minimize risk, to audit current security policies and controls, and to add another layer of security visibility (and, as we know, visibility is paramount).

BN: Where can companies start when it comes to building a strategy to stop lateral movement?

PM: Because it can be very difficult for prevention controls to block lateral movement, the most effective defense is early detection. And, the most effective way to achieve early detection is to take a layered approach. For example, rather than relying on one-dimensional point solutions such as intrusion detection systems (IDS), network security monitoring (NSM) tools, or network detection and response (NDR) solutions alone, companies should consider platforms that integrate features from all three. This delivers a more complete set of detection methods that can identify lateral movement early in the kill chain after initial system access.

These tools can search and highlight anomalies in credential usage, logon failure, app usage, connectivity patterns, port and protocol usage, encryption analytics, flow patterns, and connection specifics and details. Then, once suspicious activities are detected, they use advanced prioritization algorithms to prioritize lateral movement attacks and push only the most urgent threats supported by evidence to the top of security teams' review list. This is so important because alert fatigue can be just as crippling for security teams as not having insight into suspicious activity and threats. With a manageable list of action items, however, security teams can quickly respond to catch threats before cybercriminals have the time to cause substantial damage.

The bottom line is your network is uniquely positioned to spot and track lateral movement. You just have to use the right tools and employ the right strategy to take advantage of it.

Image credit: fotogestoeber / Shutterstock