Lateral Movement: When Thieves Climb Over Your Firewall
by Tim Keeler, on Jun 05, 2021
We’ve all watched those movies … the ones with the eye-rolling assumptions that film writers and directors sometimes make about IT security. They show hackers in a dark room, their faces dimly lit by their monitors. They type plain-English commands onto a dark computer screen, stare intently at their work, and hit return. We hold our breath with them until the computer beeps and, two password attempts later, they’ve broken into some national security database or erased someone from existence.
It’s not really like that, though. Perimeter-based controls like passwords and firewalls don’t protect us anymore—not fully. The threatscape facing our IT ecosystems has evolved in tandem with the technology we use to protect ourselves. Sometimes, our technology succeeds and keeps the attackers out. At other times, it doesn’t and something like the SolarWinds attack happens.
An Evolution of Tactics
If the movies of earlier days are any indication, hackers have plagued the industry for decades. Sometimes, those attacks make the headlines of the mainstream media. And, sometimes, they don’t.
That doesn’t mean attacks aren’t happening. The SolarWinds attack serves as an example of the kind of attacks we see today. Today’s most likely cybercriminal isn’t the lone-wolf bad actor hacking into networks from his basement apartment with the shades drawn. Today, nations—and cybercriminals financed by nations—encourage or directly sponsor these attacks. And today’s attacks increasingly rely on exploiting lateral movement to move through your system, after breaking into the privileged administrator credentials of the users you trust with the life of your network and business.
Notoriety Brings Attention
If anything remotely good came out of the SolarWinds attack, it was that it raised awareness about lateral movement and its dangers—and at a critical time. Recent research from Bitdefender shows that ransomware attacks rose more than 700% during the first half of 2020, egged on by a number of factors, such as the:
- COVID-19 pandemic
- Increasing numbers of remote WFH workers, and the
- Commoditization of ransomware-as-a-service
Beyond these factors, however, lies a secondary cause: the bad security practices that have cropped up as companies have raced to cobble together controls to support the surging numbers of remote workers in their workforces. In the race to get back to business during a time of unprecedented lockdowns, controls got neglected and companies sometimes paid ransomware just to get back online.
How Cyberattackers Use Lateral Movement (And Why It’s So Deadly)
Before cyberattackers can move laterally from one machine to another in your network, they have to find a way in. That entrance usually comes via compromised admin credentials. When thieves steal the login credentials of the users you trust most, controls like EDR (Endpoint Detection and Response), passwords, and firewalls don’t provide much protection.
By stealing the login credentials of these powerful accounts with lots of standing privilege—that many companies literally leave lying around—these cybercriminals get beyond your perimeter-based security and move behind the walls that once protected us, a generation of IT controls ago.
Today’s cybercriminals target admin credentials. Why? It’s because endpoint controls have evolved past the controls companies have adopted for access. Once inside, cyberattackers then move across your network—island-hopping—until they find your crown jewels.
How to Defend Against Lateral Movement
The controls bolstered by privileged access management and EDR solutions remain just as relevant today as they have in the past. But, they are only a part of the solution that will protect your network from today’s cyber threatscape.
How much damage will cybercriminals cause if they defeat your EDR solution and get inside your perimeter?
The answer is less—if your company has removed the excess standing privilege—24x7 admin access –attached to the accounts attackers find. With a Zero Trust access model implemented by a solution like Remediant SecureONE, an attacker’s entryway remains just that—an entryway, because the access that would have allowed them to move laterally within your network is gone. With SecureONE, trusted users get the privileged access they need, only when they need it, and attackers don’t. They’re locked out.
Today, the best plan for securing your network is the one that removes the tools that thieves will use when they breach your perimeters.
SecureONE provides you with continuous visibility into accounts (endpoints) that have privileged access. It helps you continuously identify admin access without agents, clean up the excess standing privilege you’ve granted in the past, and put in a process to keep it from coming back in the future. Simple and elegant in its approach, SecureONE can even help contain damage during a ransomware attack, by seeing where attackers are authenticating from and cutting off their access.
Remediant SecureONE also offers a faster time-to-value. Averaging a commitment of just 5.5 hours to enable Just-In-Time access on all systems, Remediant often needs just one full-time employee to keep it running going forward—not the army of professional services workers required by other approaches.
Ready to learn more about how Remediant can help protect you from today’s threatscape? Get in touch!