As the pandemic rages around the world and workers continue to hunker down remotely, it seems as everything has changed. Yet, in some ways, the old adage – the more things change, the more they stay the same – still applies. Because, despite how mixed up as everything is, its business as usual for hackers.
One of their favorite methods is to breach and then move around to find their quarry, a method known as lateral movement. These types of attacks often target supply chains. One of the more infamous lateral attacks was the Target department store breach of 2013 where hackers accessed the chain’s HVAC system software and moved on from there to pilfer customer credit card data.
Research by Carbon Black in 2019 found that 70 percent of cyberattacks involved lateral movement. The 70 percent figure is crucial because preventing and containing lateral movement can mitigate the damage of an initial breach. Dark Reading describes lateral attack defense more succinctly:
“Digital defenders need to break up patterns of lateral movement through segmentation that walls off data into distinct areas,”
For more insight on lateral movement attacks, we reached out to Director of Cybersecurity at MSP, GulfNet Solutions, Hussain Aldawood, who details that when a bad actor breaches, the breach point often isn’t the objective, it’s a more valuable target elsewhere.
Four seconds of danger
Consider a thief attempting to breach a palace perimeter by prying open a sewer pipe a couple miles away. The thief may enter through the sewer, but their eyes are on the palace prize. The object of lateral security is to thwart that movement towards the palace.
“When cybercriminals compromise a device in a network, that asset might not be their final objective,” warns Aldawood. He adds that for attackers to achieve their ultimate goal, they use bad actors to break into a down-level web server, email account of a user, organizational workstation, or any other starting location.
“By doing so, they move laterally from the selected starting location to reach their anticipated point. The starting location infrequently causes harsh damage,” Aldawood points out. If IT departments and other security professionals can discover the lateral movements at an early stage, before the cybercriminals reach their anticipated targets, a significant data breach can be avoided.
Aldawood also advises that phishing emails, drive-by, exploit kits, and flash drives are common ways in which breaching occurs, with phishing being the top method.
“The reason behind targeting organizations with phishing is that infecting one device will most likely be considered annoying to one employee while infecting thousands of them will be a problem and make their activity noticeable to security teams,” Aldawood says. In other words, it’s much easier to slip in unnoticed with a targeted and successful phishing attack vs. a flashy DDoS.
Attackers can breach the system in four seconds with a successful phishing attempt, and then they pivot and start seeking their real quarry.
“Lateral attacks are meant to be built for speed while deploying complex attacks might take them a long time,” Aldawood states. So, what can an MSP or security professional do to thwart lateral movement?
Update endpoint security
Aldawood advises that MSPs and security professionals need to reassess their security strategies to ensure that they have the most effective approach possible. They need to include both prevention technology to stop intrusion attempts and full EDR (endpoint detection and response) to automatically detect suspicious activity. Adopting both capabilities in a single agent is an essential first step.
Best defense is a good offense
Having robust threat prevention isn’t good enough. Consider the analogy of a thief again. It’s not good enough just to have secure locks; you need to actively search for thieves that might be hiding in the shadows.
Businesses need to consider augmenting their internal teams with a security solution that offers hands-on expert threat hunting, Aldawood says. These types of solutions can monitor actively for hidden threats.
Maintain proper IT hygiene
The best defense to deploy the most effective technology currently available to eliminate vulnerabilities, including outdated or unpatched systems and software.
In brief, organizations need solutions in place capable of capturing unexpected logins, tool use, and remote user access. At this point, the principal of least privilege informs lateral threat defense. This includes password management and multifactor authentication (MFA). MFA is known as one of the easiest, cheapest, most effective ways to reduce lateral movement.
For MSPs, the challenge is two-fold, stop the breach from occurring in the first place, but if one does occur, they must have sufficient internal protections in place to stop lateral movement.
Photo: Nicola Simeoni / Shutterstock