Lateral movement attacks are effectively a blind spot in today’s security stack, which cannot detect and prevent them in real-time. This blind spot is the result of a long-lasting paradigm that delegates identity protection to the endpoint, network, and cloud security products rather than acknowledging user identities for what they really are – a standalone attack surface that must be addressed and protected in a dedicated manner. In this article we suggest a conceptual framework to better analyze and understand this blind spot within the overall context of cyber protection to enable various enterprise security stakeholders to reflect on their security stack and evaluate its exposure to lateral movement attacks.
Lateral movement is the general term to describe the attack stage that follows an initial compromise of a machine (AKA patient zero) by accessing and executing code on additional machines in the environment. Performing lateral movement is a key necessity for the attacker since in most cases the patient zero, while being more vulnerable than other machines in the environment, cannot by itself satisfy the attack’s objectives. From that arises the need to access additional machines and form a path to fulfill the attack’s objectives.
But how does movement from machine to machine take place? In an enterprise environment there is only one way to do this: log in with user credentials. Hence, what would typically follow the patient-zero compromise is a search for the user accounts that are logged in to the machine and their credentials (a relatively trivial task that many open-source tools and either CMD or PowerShell scripts can perform). The attacker can then use various admin tools to get the names of other machines in the environment and attempt to log in to them with the newly obtained credentials. Once successful, this process is repeated on the next machine and so on. One of the common threads to many attacks is the attempt to hunt for admin credentials, as these have higher access privileges and access to the Domain Controller.
In terms of risk and the potential damage, it is easily seen that lateral movement is the key component in turning a cyberattack from a local event into an enterprise-grade incident. However, despite the significant advances that were made in cybersecurity during the past decade, lateral movement is still a blind spot in the enterprise security stack, creating a critical security gap. Let’s reflect on the key concepts of cybersecurity detection and prevention to understand why.
In most cases, malicious activity differs from a legitimate one. To detect a malicious activity the essential question is what anomaly does it generate?
In some cases, the anomaly is easy to track – for example, a file signature that has already been flagged as malicious or network traffic to an external IP that is known to be malicious. But threat actors continuously refine and enhance their tools, striving to eliminate or at least minimize these anomalies as much as possible. So we often see attacks that consist of a completely normal activity in a certain aspect but are anomalous in another. For example, a memory corruption exploit of a vulnerability in Chrome doesn’t trigger a file anomaly since it hijacks the running Chrome process. However, the process behavior within memory and its interaction with the OS radically differs from the normal Chrome execution flow.
But what do we mean when we talk about aspects? We can think of aspects as different perspectives of a single activity. Let’s take a typical scenario of a malicious payload that executes, opens an outbound connection with a remote server, and downloads an additional file. The endpoint protection aspect looks for anomalies in the process behaviors and file signatures, while the network protection aspect would look for anomalies in the network traffic. A sound security stack would include as many aspects as possible to increase the detection chances of malicious activity.
Single-aspect protection is bound to fail because there are attack vectors that, by definition, are legitimate in one aspect and malicious in another. The simplest example is C2C communication. There is no anomaly in the file or process that opens the connection since it is the same one that the operating system uses for any other legitimate connection. So, if we’d rely only on the endpoint aspect this activity would most probably go undetected. However, the network aspect that is concerned with network traffic would easily determine that the destination address is malicious and block the connection altogether.
The detection of malicious activity is the first step. However, the actual security value is delivered by the ability to prevent or block the detected malicious activity in real-time. In that manner, an Endpoint Protection Platform (EPP) is capable not only of determining whether a running process features malicious behavior but also has the power to terminate this process’s execution in real-time. Similarly, a firewall can both determine that certain network traffic is malicious as well as blocking altogether.
Let’s see now how the anomaly, aspect and real-time factors map into lateral movement protection.
The reason why lateral movement attacks are a blind spot is that endpoint and network security controls don’t possess the required aspect to detect its entailed anomalies and don’t have the ability to block it in real-time. Let’s dive deeper to understand why.
Lateral movement attacks are carried out by providing valid (yet compromised) user credentials to log in to resources (servers, workstations, apps, etc.) in the targeted environment. This introduces a severe detection challenge because the authentication performed by an attacker that performs lateral movement is essentially identical to an authentication made by a legitimate user. Both entail an authentication process that comprises passing credentials to an identity provider (for example Active Directory), that validates them and grants or denies access based on this validation. In that manner, a lateral movement attack is at its core a series of authentications that utilize the legitimate authentication infrastructure for malicious purposes.
This means that we’re dealing with a very low anomaly factor to begin with. The only difference between a malicious authentication and a legitimate one is that the first is performed by an attacker while the latter by a malicious user. That doesn’t leave much anomaly margin to work with since the anomaly would not be found in the authentication itself but rather in its surrounding context. Let’s understand why disclosing this context is beyond the scope of the endpoint and network protection aspects.
As previously explained, lateral movement is a series of malicious authentication from a compromised machine to another one.
The endpoint protection aspect is not efficient in determining that such authentication is malicious because it is focused on anomalies in file and process execution. This aspect cannot reveal any anomaly due to the resemblance we’ve described. If, for example, an attacker chooses to employ the PsExec tool to remotely connect from patient zero to another machine with a set of compromised credentials, the launched process will be PsExec.exe – which is the same process that would be launched had a legitimate admin chosen to perform the same connection.
The network protection aspect would fall short in detecting lateral movement for the same reason. The network traffic from patient zero to the new machine is 100% similar to the one that a legitimate helpdesk would generate when remotely troubleshooting an endpoint issue for an employee.
Let’s assume that we’ve managed to partly overcome the detection difficulties. There is still a critical challenge to solve: the lack of real-time prevention capabilities at both endpoint and network protection products. Even if the EPP somehow manages to determine that an executed process implies without any doubt that a lateral movement attack is taking place, it cannot do anything to prevent it. While theoretically, a network solution might be able to provide this prevention with tight segmentation of the environment, in practice it won’t prevent lateral movement within the compromised segment itself, nor will it block compromised admin users that are typically exempt from the segmentation’s limitations.
In fact, the only component in the enterprise IT stack that can prevent lateral movement in real-time is the Identity Provider itself, which in most on-prem environments would be Active Directory.
AD governs the authentication process itself and determines whether an access request to a resource is granted or denied. If any real-time prevention against lateral movement is to be found anywhere, it would be there.
However, two major problems inhibit AD from performing the real-time protection task. The only security check AD can perform is to validate the user-credentials match – in the case of lateral movement it’s no use because the match exists (that’s the whole purpose of compromising these credentials in the first place). So, the potential of real-time protection can’t be fulfilled because AD will never know when to apply it.
To summarize, endpoint and network protection can’t efficiently detect lateral movement attacks and don’t have the ability to prevent them. Active Directory lacks the ability to discern between a lateral movement attack and a legitimate authentication, which leaves its protection potential dormant and unable to be used for actual protection. This is the main reason why most organizations architect their security stack to prevent the attack stages that come before the lateral movement and reactively minimize its damages after its detection. But the lateral movement itself is not contained or addressed.
The Silverfort Unified Identity Protection platform is the first solution to deliver seamless real-time prevention of lateral movement attacks by natively integrating with Active Directory to add a security layer of both risk analysis and Multi-Factor Authentication (MFA). To learn more about Silverfort’s capabilities, visit our Lateral Movement Prevention Protection page or schedule a demo with one of our experts.