Yiftach Keshet
Dec 24, 2020

Silverfort Revolutionizes Protection Against Lateral Movement with MFA – Reflections on the SolarWinds Attack

*****By Yiftach Keshet, Director of Product Marketing, Silverfort *****

MFA prevents 99.9% of account compromise. However, this extremely efficient security measure is currently unapplicable to core enterprise resources, first and foremost the on-prem endpoints and servers. The recent SolarWinds attack showcases once again that protection against Lateral Movement is among the weakest points in today’s security stack. Silverfort revolutionizes protection against Lateral Movement by introducing MFA to the endpoints and servers’ access in the on-prem environment, proactively preventing existing lateral movement techniques such as those used by the SolarWinds threat actors.

Lateral Movement in the SolarWinds Attack Overview

The Lateral Movement part in the SolarWinds attack followed suit with well-known patterns: after the initial compromise, the attackers started the credential hunt which ultimately ended with obtaining admin credentials and login to the actual target (in this case the ADFS server). The logons to the various machines along the path were apparently carried out with remote access command line tools (PSexec, Powershell, etc.).

Lateral Movement Protection is Broken

It’s worth mentioning that the Initial Access part of the SolarWinds attack featured extreme innovation, sophistication and creativity. That is not the case with the Lateral Movement part – however is didn’t make it less effective.

The sad truth is that Lateral Movement techniques and tactics haven’t changed much since a decade ago, simply because they didn’t have to – from the attackers’ perspective there is no need to change something that works great. And unfortunately, in this case they are right. The enterprise’s security stack repeatedly fails against Lateral Movement.

This is because in essence, Lateral Movement at is no more than logging to machines with valid (though compromised) credentials. The existing security controls, whether placed directly on the endpoint or monitoring the network traffic might at best detect that an anomalous login has occurred and raise an alert. However, they cannot actually do anything in real-time to prevent the login from actually happening – which in most cases will be far too late.

The key to preventing Lateral Movement is to understand the actual meaning of what we’ve just said: Lateral Movement is no more than logging into machines using valid credentials. In other words, it’s an unsecured authentication we need to mitigate – and there is a purpose-built technology to thwart a scenario in which a threat actor attempts to access enterprise resources with valid credentials – Multi Factor Authentication.

MFA is not Available against Lateral Movement

One of the few consensus points among security practitioners is the enormous value MFA provides. According to Microsoft, MFA in place prevents 99.9% of account compromise. However, the Active Directory based endpoints and servers, which are primary targets for Lateral Movement, are excluded from the protection MFA brings.

There is today no available technology that can enforce MFA on the remote access command line tools attackers use to move laterally between machines. MFA is the most effective and proven technology to prevent malicious logins. Its absence from logins in the on-prem environment is what enables lateral Movement to prosper as we’ve seen in numerous APTs, including the latest SolarWinds attack.

But What If…?

However, MFA can easily turn the tables on the attackers. With an MFA in place, when the attacker provides the login credentials to the new machine, the actual user to which these credentials belong receives a notification to his phone or desktop. The notification would ask whether to allow or deny access to the machine and the request would ultimately be denied because the actual user never performed this login attempt – and the attacker wouldn’t be able to access the machine.

Arm your On-Prem Environment Against Lateral Movement with Silverfort 

Silverfort Unified Identity Protection Platform (UIPP) pioneers the extension of MFA across all of the enterprise resources, including resources and access methods. Silverfort is the first to introduce the enforcement of MFA access policy on accessing on-prem endpoints and servers via remote command line tools.

A simple policy that require MFA verification whenever a domain admin logs in using a remote access command line tool would radically reduce any Lateral Movements’ success rates. This would apply even in a SolarWinds attack scenario where the attackers have managed to put their hands on an admin’s credentials. While the attackers indeed have the credentials, they won’t be able to use the to perform the actual login to the resources they target.

Final Thoughts

How come the absence of MFA from the on-prem environment was taken for granted all this time? This absence is so deeply rooted in the common mindset that most to all security practitioners, hands-on and executives alike probably don’t even regard it as a security gap but rather as a reality we have to live with. Silverfort is here to change this reality.

Learn more on Silverfort here