The Imperative to Detect Lateral Movement
The last thing any security leader needs is another imperative. There are already plenty of them: comply with a new regulation, support a new business initiative, report to the Board on risk posture and on and on…
The ability, though, to detect and stop lateral movement—the silent motion of attackers through the network—is an imperative, both to better defend today’s fast-moving enterprises, and to improve the efficiency of security operations.
A persistent problem
Lateral movement has for years been an essential architectural element of most cyberattacks:
1. Attackers, through phishing or other means, make their way past defences and establish a “beachhead” on one or more endpoints.
2. They go through a phase of learning and investigation to identify high-value assets.
3. They find credentials and connections to move laterally toward those assets.
4. They get within striking range of their ultimate target.
This process emerged primarily through the work of nation-state attackers and became known as the Advanced Persistent Threat (APT).
Concern spread quickly about stealthy attackers who could evade detection by using valid credentials and the “organic” system-to-system connections that enable the ordinary activity of the organisation.
Figure 1: Cyberthreats on the Private Sector
Source: 2014, The Evolution of Cyber Attacks, NC4®
The APT goes mainstream
In 2011 the introduction of Mimikatz, and various other developments in that timeframe, significantly increased the urgency to be able to detect and stop lateral movement. By enabling attackers to “scrape” credentials from systems across the network, Mimikatz could quickly gather keys to lateral movement that otherwise took weeks or months to accomplish.
By automating necessary functions of the attack process, Mimikatz and similar tools gave birth to the “industrial” era of cyberthreats. Today, dozens of prebuilt attack automation tools are openly available on the Internet, complete with training videos, discussion forums, and sophisticated, commercially-available supporting infrastructure. As a result, lines between nation-state attackers and financially-motivated cybercriminals have blurred, and virtually anyone with computer literacy– insider or outsider—can become a cyberattacker.
So attack tools are in the hands of many more people and the attacks themselves can be executed faster and more easily than ever before—attackers on steroids, laced with caffeine.
Evolving cyberthreats have been met with evolving detection methods. Commodity malware gave rise to signature-based approaches embodied in intrusion detection anti-virus technologies. The primary deficiency of this method was the inability to detect malicious code that had not previously been seen, analysed, and added to a threat database. A lot can get missed.
Correlation technologies emerged to pick out sequences of events or violations to more nuanced sets of rules that suggest malicious behavior. The most recent advances leverage analytics technologies and “neural networks” to look for needles in haystacks, processing huge amounts of data to identify patterns or exceptions that should be investigated.
Both of these more complex approaches have earned their place in the security stacks of some organisations, but they tend to generate a high volume of alerts, require specialised skills, are labor-intensive to design and build, and aren’t easily adapted to fast-changing business environments. In other words, they’re not practical for any organisation that is constrained by the cyber talent shortage.
So how well are organisations detecting malicious lateral movement? Not well. A recent study undertaken by Illusive Networks and Ponemon Institute shows that only 36% of respondents agreed or strongly agreed that their security teams could effectively detect and investigate security incidents before serious damage occurs.
Instead, foil the attacker’s decision-making
Illusive Networks looks at the problem of lateral movement differently. The attacker, upon landing in a network, must look in various places to understand his or her immediate surroundings: Who is the person who uses this machine? What useful material is on this device, and what other resources will it provide access to? How can these immediately accessible resources lead to systems of greater value? The process of amassing information and accumulating access requires that dozens of decisions be made in a repetitive trial-and-error process.
Illusive muddies the water for the attacker by planting false information – deceptions – on every endpoint. No matter where the attacker is situated, he now sees not only the real connections and credentials that could enable lateral movement, but a confusing array of fake ones as well. Which are real? It’s not possible to know.
The casino always wins
In addition to creating many fake paths forward, Illusive also provides tools to minimise the number of real ones. This is essential to reducing attack risk. The easier it is for the attacker to find credentials on endpoints, and the greater the number of available system-to-system connections, the greater the range of motion an attacker has.
In most networks, there is far more mobility between systems than there should be. Of course, there must be some connectivity; the business couldn’t function without it. But there are lots of ways that the “access footprint” balloons to an unnecessary level. For convenience, system administrators may hard-code passwords within applications. User credentials get stored in browser history. The domain administrator credentials of an IT support person accidentally get left behind when a remote support session isn’t properly terminated. Access rights may fall behind as user roles and functions change.
Illusive’s Attack Surface Manager product enables security teams to define credential and connection policies, and then perpetually discovers and facilitates remediation of violations.
By minimising the real means that attackers have to move between systems, and by planting many fake ones, Illusive creates a casino effect: Just like the mathematical odds are stacked against a gambler, the odds become extremely low that an attacker can get beyond his first landing point.
Stay calm under pressure
As soon as he or she tries to use a fake object, the attacker is caught. The security team is notified and can see exactly where the attacker is—not only which system he occupies, but also the proximity of the attacker to business-critical systems. Rich forensic data is immediately captured and stored in the incident record. Responders have very precise, pinpoint data as the basis for any further investigation that may be needed. Otherwise volatile system data is captured, including a full screenshot showing the attacker’s activity.
Let’s contrast this to how the responder’s experience might otherwise look. Perhaps after many failed logins finally triggered an alert, or some other rule or threshold was tripped, the attacker would likely have traversed many systems—perhaps over months. There may have been warning signs that were lost in a sea of other alerts.
Once suspicious activity was detected, responders would mine security logs trying to piece together a picture of what happened. Multiple systems have been affected. Depending on what tools were in use, valuable data from the memory of these systems may have been lost. At this point, hearts race and a sense of panic often sets in. Without a clear picture of what’s happening and what may be at risk, systems are often quickly shut down or quarantined. Operations may be far more impacted than they needed to be.
With Illusive, the attacker has been caught earlier, and with one high-fidelity alert to be investigated. The scope of necessary triage is smaller. Responders can more rapidly understand both what is occurring, and what important business assets may be impacted. Armed with visibility on the attacker’s activity, they can either shut down the attack or observe it for a while to better understand the attacker’s intent and methods.
Tiny Data trumps Big Data
All of this is accomplished with a surprisingly lightweight, nimble technology. The deceptions—tiny bits of fake data, invisible to ordinary users—are automatically planted throughout the system inventory by an agentless, intelligent deception management system. A tighter, more hygienic environment can be maintained in a very low-touch manner. When an alert fires, forensics are captured exactly where and when they’re needed.
Instead of wading through lakes of data, the security team has small data, purpose-built for the task of detecting, preempting and responding to malicious lateral movement.
While there are many reasons layered defences and controls must be maintained, and reasons why multiple threat detection methods may be needed, the ability to stop lateral movement early in the attack process is increasingly necessary—not only to defend the business against a wider range of accelerated, malicious actors, but to do so in a way that makes the SOC more efficient.
About Illusive Networks
Illusive Networks provides deception-based cybersecurity solutions that empower security teams to preemptively harden their networks against advanced attackers, stop targeted attacks through early detection of lateral movement, and resolve incidents quickly. Founded in 2014, Illusive now has more than 50 million deceptions deployed in production environments. Customers include many of the world’s largest financial institutions, retailers, global pharmaceutical companies, and brand-name organisations in healthcare, energy, manufacturing, and other industries.