All about lateral movement in cybersecurity breaches,and how to protect against it
“There are only two types of companies: those that have been hacked and those that don’t know they have been hacked.”Robert S. Mueller III, former director of the FBI.
Cybersecurity breaches occur routinely in businesses, no matter the industry. And because attackers continuously adapt their strategies to outmaneuver advances in security, businessesare constantly playing catch-up against relentless cyber adversaries.
According to IBM’s 2019 Cost of a Data Breach Report, a data breach costs a company an average of $3.92 million worldwide, and in the U.S. it costs an average of $8.19 million.The cost of a data breach goes well beyond financial impacts, however, and are likely to damagea business’s reputation and relationships with customers, among other long-term consequences.
No matter what security measures you take or how much money you spend, your network will eventually be infiltrated by an unauthorized intruder, if it hasn’t already. Intrusion detection systems that provide an alert of an enemy in your midst afterthefact produce a very high percentage of false positives for your security team to chase down, while not really being effective at detecting sophisticated intruders. But, the initial breach is not really the major cause of damage to the enterprise.
In fact, it is the spread of unauthorized access and control over your computing assets after the initial breachthat is the real goal of the enemy and the means they use to inflict damage and steal or ransom data. Stopping malicious lateral movement remains the biggest unresolved problem for the enterprise, and it should be the highest security priority.
Eliminating vulnerability to lateral movement and evicting hackers from your network is the key to saving your organization time and money and preventing cyber damage. What follows is a look at how lateral movement works and how you can prevent and disrupt it in time to prevent harm from coming to you, your employees, customers and partners.
Lateral movement explained
Lateral Movement, the expansion of control over network resources by the adversary after the initial breach, is at the root of almost all cyber damage. Dwell time is the period that an attacker maintains an uninvited and unnoticed presence within a network. The median dwell time in 2018 was 78 days (FireEye M-Trends 2019). In a relatively simple network with 1,000 endpoints, there are more than 700 million internal attack vectors for an adversary to use to expand their control over assets. When you combine the two facts – that the attacker remains undetected, and that they have so many avenues to expand their control over your resources –intruders have ample opportunity to inflict damage. And insider threats make this even worse.
Lateral movement first requires an attacker to find a way into a network for the initial breach. This takes many forms, like an email phishing attempt or infection via malware, for example. Attackers use email accounts that have been compromised to send emails to employees in efforts to trick them into opening malicious links or attachments, as a Trend Micro report explains.
Once an attacker achieves that initial compromise of a machine,they draw on a range of techniques to gain insight into the network and its endpoints, to increase their privileges and to move from device to device until they get access to servers and locate the most valuable data. Following the initial breach, they expand their control to an ever-expanding number of your resources, and taking away the enterprise’s control over its own resources. This is Lateral Movement (see this definition from MITRE).
Lateral movement will have multiple consequences, including:
- Damage to network systems
- Further data theft
- Ransoming of critical data
Lateral movement is especially dangerous because the foundation of your security – firewalls and antivirus software – are no longer sources of protection. The fox is already in the chicken coop.
So how do you quickly detect and prevent lateral movement?
Disrupting and preventing lateral movement
Once an adversary is inside the network, the IT department’s main goal should be to contain the attack and mitigate its costs and impact. As mentioned previously, at this stage firewalls and antivirus software won’t help at all to stop lateral movement. For most enterprises, this problem is deepening due to extremely complex networks, aggressive, automated attacks, and the arrival of state actors on the scene. Enterprise technology executives realize that perimeters can’t reliably be protected and accurate intrusion detection is impossible, i.e. most of the existing solutions designed to remediate breaches of porous perimeters do not work, instead having the effect of driving up the costs of security – labor in particular – to prohibitive levels.
Unfortunately, many solutions out there that aim to detect an intrusion are time consuming and expensive. Most of the time, even if you’re able to detect lateral movement, it doesn’t mean the threat hasn’t already caused a lot of damage. These solutions are passive, and human intervention is required because they only detect intrusions after the fact.
As powerful as we’d like to believe artificial intelligence can be, solutions that depend on artificial intelligence (AI) techniques don’t get the job done. They can be hard to deploy and often only apply to large enterprises, and they provide false positives while increasing response-labor needs and other costs.
The solution, then, is to prevent lateral movement from occurring in the first place. Some common security strategies to help you avoid lateral movement include the following:
- Use multifactor authentication in your systems
- Require strong passwords and frequent password changes
- Only give users the highest level of access they need, which is likely not administrator status
- Restrict access during certain times of day and from certain locations
New approaches to counter cyber adversaries are overdue, and enterprises are starting to take a serious look at newer approaches especially based on a deeper understanding of how hackers operate following the initial breach and how insiders take advantage of their privileged access. One of the most effective way to prevent lateral movement from taking place within your network is to implement a tool like Ridgeback, which operates without oversight from your team and doesn’t require time-consuming configuration. It’s simple to deploy and gives you immediate network visibility and expertise, so your team can make fact-based decisions to better adapt and respond to security threats.
The security mindset of Ridgeback Network Defense is that to truly benefit the defender, the cost of defense should go down and the cost to the attacker should go up; it needs to be difficult to attack and easier to defend; the enterprise must adapt to constantly changing security threats. Ridgeback uses various techniques to adapt continually to every changing security threats, causing the adversaries to needlessly exhaust resources. This aggressive strategy results in the cost of attack outweighing the benefits of attack.
By making the network impossibly hostile to an intruder, Ridgeback actually inverts the dynamic we have been living with for years – something traditional defensive tools just don’t do. An attacker who encounters Ridgeback is forced to grapple with challenges that disrupt their exploit and automatically reveal their presence and evict them from your network automatically. Take advantage of the world’s only intrusion-expulsion system from Ridgeback, and adversaries will be eliminated from your network in real time.
Contact Ridgeback today to learn more about the plug-and-play tool that is a game changer for your enterprise security plan.