The Hidden Risk Factor: Why Cyber Insurers Are Focused on Lateral Movement

The biggest cybersecurity story of 2022 was not just that ransomware was everywhere this year, it was that increasingly any organization of any size was finding themselves to be a target.

As the headlines rolled in detailing damaging ransomware attacks on a near-daily basis, the list of victims proved incredibly broad. From big global brands like Cisco, Nvidia, Samsung, and Toyota, to school districts, regional hospitals, colleges and universities, local municipalities, even NFL football teams, dental practices, and British racing clubs – no target was too obscure to be safe.

The corresponding reaction by insurance companies – raising their rates and drastically tightening requirements to stem the losses coming from cyber insurance claims – has been the other big story this year. To qualify for a policy today, organizations now need to demonstrate the ability to implement many new security controls, including Endpoint Detection and Response (EDR), multifactor authentication (MFA), and the protection of privileged service accounts.

Ransomware Attacks & Cyber Insurance Policy Changes

With such dramatic changes this year, it’s worth examining what’s behind these developments. What’s fueling this explosive spike in ransomware? Why is it that organizations of all sizes are suddenly finding themselves in attackers’ sights? And from the perspective of insurance companies, what’s the common thread linking the new required security controls?

The answer to these questions is actually straightforward: It’s because of lateral movement. Lateral movement refers to the tactics threat actors use to move across a network after gaining initial access. Through lateral movement, an attacker can steadily make their way from a single endpoint to other workstations and servers throughout a network, gaining privileges along the way with the goal of maximizing the attack’s payoff. Once enough assets containing an organization’s sensitive data are compromised, cybercriminals can deliver the payload, encrypt multiple machines simultaneously and demand payment. The fuel for today’s raging ransomware fire is lateral movement.

The most insidious part of lateral movement is that it’s actually carried out through the use of legitimate login credentials. If an attacker has acquired compromised credentials, all they need to do is present them at login screens and identity providers such as Active Directory will grant them access. This is why lateral movement has become such an identity threat.

The Rise of Lateral Movement

But how is it that lateral movement has become so widespread? Not long ago, this stage of an attack was primarily the province of advanced persistent threat (APT) actors — typically nation-states or state-sponsored groups. But according to the IT consulting group Coveware, 82% of ransomware attacks involve lateral movement, with the most with the most common MITRE attack types being Remote Services, Exploitation of Remote Services, and Lateral Tool Transfer. Lateral movement is now clearly being employed by the majority of threat actors.

The reason is two-fold. First, years of high-profile data breaches have resulted in a huge stash of stolen credentials available for sale on the Dark Web — estimated to be more than 24 billion. This, in turn, has given birth to a dark economy of sorts, where opportunistic ransomware threat actors purchase credentials, compromise organizations using tried-and-true tactics such as weaponized emails and social engineering, then once inside make full use of those stolen credentials to hop from machine to machine via lateral movement.

The second reason is that, despite the proliferation of security products in the enterprise environment, there are still several gaping holes where a lack of protection exists. These include remote admin interfaces, legacy protocols, file shares, homegrown applications, industrial systems, and service accounts. Because of these security gaps, cybercriminals can essentially move unimpeded and undetected across a network, which means that any organization is a potential target of ransomware. Lateral movement has effectively become a commodity.

Examining the New Cyber Insurance Requirements

Stopping lateral movement is the real motivation behind this push from cyber insurance providers to stem financial losses, which last year included more than 8,000 claims paid. By mandating that new security controls be in place before policies are issued (or renewed), underwriters have essentially taken direct aim at lateral movement.

By mandating MFA on all remote network and admin access, insurers are basically forcing companies to shut down avenues of lateral movement they may have been unaware of, such as the command-line interfaces PsExec, PowerShell, and WMI. These are tools that admins routinely use to open remote connections to machines in their network but are also ones frequently exploited by attackers to spread ransomware, since these interfaces have traditionally lacked MFA protection.

Similarly, by requiring organizations to conduct regular inventories of their privileged accounts – as well as put in place rules to monitor and protect them – underwriters are seeking to stop the use of machine-to-machine accounts in ransomware attacks. Silverfort’s research team has found that 60% of ransomware attacks employ compromised service accounts, since those accounts are often highly privileged and can give attackers admin-level access to resources.

Lessons of Recent Cyberattacks

With the viability of their business model at stake, it makes sense that cyber insurers have internalized the lessons of recent high-profile attacks. In last year’s infamous Colonial Pipeline breach, for example, there were numerous areas where having MFA in place would’ve stopped lateral movement in its tracks. Specifically, enforcing MFA on PsExec would’ve prevented the attackers from being able to gain access to the domain controller, where they acquired the privileged credentials that enabled them to plant the ransomware payload on a network share. PsExec was also the lateral movement tool of choice in the Cisco attack earlier this year which, although it did not result in ransomware execution, was nevertheless a disturbing breach of a major technology company.

Turning to service accounts, this was the vector of choice in the recent Uber breach, where attackers were able to compromise a service account to get access to the company’s Privileged Account Management (PAM) vault. Silverfort’s analysis shows that having the ability to flag this account’s anomalous behavior (i.e. having never before logged into the PAM vault) would’ve halted the lateral movement and prevented Uber’s user data from being exposed.

The Beginning of the End of Ransomware

So what can be done to bring this epidemic of lateral movement to an end? Is there a way both to satisfy today’s cyber insurance requirements and stop the relentless onslaught of ransomware? The answer is yes: With the Silverfort Unified Identity Protection platform,companies can have confidence that critical security gaps in their network have been closed. Silverfort’s solution focuses on authentication, since it is this element that is behind the use of compromised credentials.

This is because Active Directory is unable to verify if a given authentication is legitimate or not. As long as the username and password entered matches the information in the directory, the user is granted access — even if they’re an attacker using compromised credentials.

How Silverfort Prevents Lateral Movement

Silverfort can prevent this lateral movement powered by compromised credentials. Because the platform integrates with the backend of an identity providers (rather than via agents or proxies on individual resources), the software can “see” every authentication across a network and immediately identify suspicious activity and prevent it by triggering MFA. This includes the ability to enforce MFA on all resources mentioned above that have been unable to support it. It also means that, for the first time, organizations now have the ability to respond to lateral movement in real time and stop ransomware threat actors cold.

As well, because Silverfort has complete visibility into all authentications across a network, it can easily identify every service account due to its highly repetitive behavior. This means security teams can quickly produce inventories of all privileged accounts as required by insurers. Furthermore, Silverfort can continuously monitor service accounts and automatically block access if any of them starts acting unusually (e.g. connecting in a way or to a resource that it’s never done before), another requirement in cyber insurance policies.

Setting up the system is quick and straightforward, since the Silverfort platform comes with ready-to-use access policies that can be tailored to each service account in addition to adaptive risk-based policies that can be configured to activate when an account’s risk level increases.

With these two important security controls in place – MFA everywhere and comprehensive service account protection – organizations can finally eliminate the threat of lateral movement and fully comply with every cyber insurance policy requirement. To learn more, request a demo here.