10 Steps to Stop Lateral Movement in Data Breaches

As highlighted in the 2017 Verizon Data Breach Investigation Report (DBIR), 75% of attacks come from the outside. While the specific tactics may vary, the stages of an outsider attack are similar. In this blog, I will review the four (4) steps an outsider takes to gain a foothold in an environment, and then explain the mitigation strategies organizations can implement to prevent lateral movement and mitigate the risks.

First, they hack the perimeter.blog-stop-lateral-movement-1.jpg

Attackers could penetrate the perimeter directly, but more than likely they execute a successful drive-by download or launch a phishing attack to compromise a user’s system and establish a foothold inside the network; all the while flying “under the radar” of many traditional security defenses.

Next, they establish a connection.blog-stop-lateral-movement-2.jpg

Unless it’s ransomware or self-contained malware, the attacker quickly establishes a connection to a command and control (C&C) server to download toolkits, additional payloads, and to receive additional instructions.

Social attacks were utilized in 43% of all breaches in this year’s dataset. Almost all phishing attacks that led to a breach were followed with some form of malware, and 28% of phishing breaches were targeted. Phishing is the most common social tactic in the Verizon DBIR dataset (93% of social incidents).

Now inside the network, the attacker goes to work.

Attackers begin to learn about the network, the layout, the assets. They begin to move laterally to other systems and look for opportunities to collect additional credentials, upgrade privileges, or just use the privileges that they have already compromised to access systems, applications and data. Note that an insider can either become a hacker, or if they have the necessary privileges, they can jump right to step number 4.


You’ve been pwned.

Lastly, the attacker collects, packages, and eventually exfiltrates the data.


How to stop lateral movement.

While the Data Breach Investigations Report and nearly every security vendor on the planet makes recommendations on reducing the risks associated with each stage of the attack, today I wanted to focus on the stage related to lateral movement. If you can create barriers to move laterally you may be protect access to high value assets, or at least slow the attacker down enough that you can adequately contain the outbreak and mitigate the impact of the breach.

One product will certainly not provide the protection you need against all stages of an attack. And while some new and innovative solutions will help protect against or detect the initial infection, they are not guaranteed to stop 100% of malicious activity. In fact, it’s not a matter of if, but a matter of when you will be successfully breached. You still need to do the basics – patching, firewalls, endpoint AV and threat detection and so on. But you also need to protect against, and monitor for, lateral movement. So, assuming the bad guys get in, what are some of the things you can do to stop them, slow them down, and/or detect them to mitigate the impact.

10 recommendations to minimize lateral movement:

1. Use Standard User Accounts. Enforce that all users have a standard user account. Administrators across all platforms should log in with their standard accounts as normal practice. They should only log in with administrative rights when they need to perform administrative tasks. Sounds reasonable. Doesn’t always happen.

2. Enforce the Principle of Least Privilege. If a user does not need access to systems, applications or data, remove it. As a first step remove administrator rights on desktops for all users.

3. Implement Application Whitelisting. Implement policy to allow known good applications and log all other applications and launch attempts. If possible, restrict launching of end user applications with known critical security vulnerabilities.

4. Require Multifactor Authentication: Implement multi-factor authentication for access to internal systems, applications and even data. While implementing static multi-factor based on whether a system or application is good, getting too restrictive can become frustrating for users. Look for solutions that can also restrict access based on the risk associated with the environment or activity. For example, if someone tries to launch a sensitive application after hours for the first time, or tries to run a sensitive command on the Unix server that is missing critical patches, step up the security and trigger to re-authenticate with multi-factor.

5. Use Context-Based and Adaptive Access Controls: At some point people need access to do their jobs, but continue to lock down when they have access, and from which location they have access. Restricting access based on static elements like time of day or subnet is good, but restricting access dynamically based on risk (i.e. does a ticket exist for the access, does this request adhere to a normal access patterns, have I received recent alerts from my threat detection layers, etc.) adds greater protections.

6. Implement Strong Password Policy Management: Require strong passwords, and that they should be changed frequently. Deny password reuse. Log failed authentication requests.

7. Automate Password Management: Require unique passwords across all privileged systems and accounts. Eliminate hard coded passwords in service accounts and scripts. Implement SSH key management tools.

8. Segment Networks: Group assets, including application and resource servers, into logical units that do not trust one another. Segmenting the network reduces the “line of sight” access attackers must have into your internal systems. For access that needs to cross the trust zones, require a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring.

9. Consider Micro-Segmentation: Where possible, go beyond standard network segmentation. Segment based on context of the user, role, application and data being requested.

10. Implement Threat and Advanced Behavior Monitoring: Somewhere along the line accounts have access to stuff. Implement base security event monitoring and advanced threat detection (including user behavior monitoring) to more accurately and quickly detect compromised account activity as well as insider privilege misuse and abuse.

Implementing these high-level recommendations will minimize the risks of lateral movement by an outside attacker. BeyondTrust delivers capabilities in our PowerBroker Privileged Access Management platform to help you address these recommendations:

  • The PowerBroker Endpoint Least Privilege Solution includes capabilities for enforcing least privilege on all Windows and Mac endpoints, whitelisting applications, implementing risk-based application policies, multi-factor authentication, adaptive access controls, and network isolation/segmentation.
  • The PowerBroker Server Privilege Management Solution is the industry-standard solution for least privilege on Unix, Linux and Windows servers, and includes capabilities for fine-grained control and audit over commands, multi-factor authentication, adaptive access based on location, risk, etc.
  • The PowerBroker Enterprise Password Security solution helps IT organizations gain visibility and control over privileged credentials – as well the systems they’re designed to protect. With the solution, you can implement a secure password storage mechanism, rotate credentials, establish a secure gateway into your datacenter, and more.
  • Underpinning all BeyondTrust solutions is the central platform built on BeyondInsight that includes a purpose-built threat and user behavioral analytics engine.

BeyondTrust has united these capabilities into a single platform that includes the same policies, and a rich reporting and connector framework. What this means to you is fewer gaps that let attackers in, and more control over privileged use actions.

For more on how BeyondTrust helps you stop lateral movement, contact us today.

All charts in this post were sourced from the Verizon 2017 Data Breach Investigations Report.