Even when organizations do their best to protect vulnerable users, promote complex passwords, and highly secure data, machines and assets, it may not be enough. Attackers can still use lateral movement paths to access protected user information. Lateral movement uses techniques that enable an adversary to access and control remote systems on a network, which can include execution of tools on remote workplace systems.
One strategy to combat lateral movement involves moving towards a zero-trust network approach that extends to all layers of the enterprise. This will help reduce the exposure of vulnerable systems while decreasing the likelihood of lateral movement in the event of a breach. In turn, this can decrease the risk of significant production downtime, detrimental impacts on production quality, and the loss of IP and/or safety events.
Unfortunately, even when reduced, lateral movement continues to be an obstacle for organizations. To prevent further compromise, security analysts need to be able to understand and identify common indicators of this activity. This includes properly monitoring alarms, utilizing the Cyber Kill Chain by Lockheed Martin for effective incident response, and implementing relevant mitigation strategies.
Common Indicators of Compromise / Identifying False Alarms
After a network infiltration, a good security operations center (SOC) analyst should dig deep to confirm that no persistent threat remains within an internal system. With visibility into the different data sources across an enterprise, organizations can build a more complete profile of the traffic being generated by vulnerable assets. For this particular example, an important step is to search and identify different remote services activities that could be an indicator of lateral movement. Some of these actions include looking for remote desktop services, and brute force activity, or attempting to access service ports including SMB, RDP, NetBios. Reviewing the different endpoints and firewall logs, analysts can confirm if the internal system was compromised and where an attacker may have attempted malicious lateral movement.
Effectively Utilizing the Cyber Kill Chain
The Cyber Kill Chain is a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Designing a plan for monitoring and response around the Cyber Kill Chain model is an effective method because it focuses on how actual attacks happen. Critical factors that are determined along this chain include how recent the threat is, how valuable the affected assets are to an organization, and what data source the event data came from.
Referencing the Cyber Kill Chain, SOC analysts can determine if the malicious actor was able to perform all tactics and techniques. This includes reconnaissance (scanning), probing (brute-force), delivery and attack, exploitation and installation, and finally, system compromise and lateral movement.
Effective Mitigation
The best security practice in the event of a system compromise is to first quarantine the compromised system from the live network, taking the impacted system offline and running multiple scans on it.
Next, analysts should investigate login logs and note who logged into the system. If an internal username was used, it is necessary to immediately reach out to those affected users in order to instruct them to change their password.
Without proper digital forensics conducted on the system, there is no sure way of telling if the attacker installed any backdoors or rootkits. For this reason, SOC analysts must perform a fresh install of the infected system in order to provide that no remaining malware is left after the scans. An analyst should always look for small security details when performing investigations in order to start depicting where the attack came from and how it occurred.
Taking these steps to prevent and combat lateral movement is an essential part of protecting an organization’s network. Preventing further compromise will depend on these strategies to keep up with a hacker’s persistent attacks.
About the author: Josh Gomez senior specialist of technology security at AT&T.