Until just a few years ago, lateral movement was a tactic confined to top APT cybercrime organizations and nation-state operators. Today, however, it has become a commoditized tool within the skill set of ransomware attackers. This makes real-time detection and prevention of lateral movement essential for organizations of all sizes and in all industries. Unfortunately, today’s security stacks don’t really have the tools to provide this real-time protection, creating arguably the most critical security vulnerability in an organization’s security architecture.
In this article, we discuss the most important questions around the challenge of lateral movement protection, understand why multi-factor authentication (MFA) and service account protection are the gaps that make it possible, and how Silverfort’s platform protects against attackers. Learn how to turn the tables with And finally putting lateral movement protection within reach.
Upcoming webinars: If you want to learn more about lateral movement and how to prevent it in real time, go here. Sign up for upcoming webinarsIndustry experts share valuable insights on the subject and answer your questions.
Ready? Let’s get started.
Why is lateral movement a significant risk to organizations?
Lateral movement is when the compromise of a single endpoint becomes the compromise of additional workstations and servers within the targeted environment. This is the difference between a single encrypted machine and a potential operational shutdown. Lateral movement is used in more than 80% of his ransomware attacks, making it a risk for all organizations around the world willing to pay to redeem data from attackers.
So how does lateral movement actually work?
It’s actually pretty easy. Unlike malware, which comes in many forms, the process of lateral movement is straightforward. In an organizational environment, any user logged into a workstation or server can access additional machines in that environment by opening a command line her prompt and entering the connect command along with her username and password . This means that all an adversary needs to do to move laterally is to obtain a valid username and password. You can use the information to access resources as if you were a legitimate user.
It sounds easy, so why is it so hard to prevent?
Surprisingly, Identity or security stacks don’t really have tools that can detect and prevent lateral movement in real time.This is because we need the ability to intercept the authentication itself, where an attacker provides compromised credentials to Active Directory (AD). Unfortunately, AD, being inherently legacy software, can only perform one security check for him: whether the username and password match. If present, access is allowed. Otherwise, access is denied. AD does not have the ability to distinguish between legitimate and malicious authentication, it only has the ability to validate credentials provided.
But shouldn’t MFA be able to solve this?
Theoretically. But here’s the problem. Remember the command line window I mentioned earlier about how lateral movement is performed? Guess what? Command-line access is actually based on two authentication protocols (NTLM and Kerberos) that don’t support MFA. These protocols were created long before MFA existed. “Don’t support” here means that you can’t add the “These credentials are valid, but let’s wait for the user to confirm her identity” stage to the authentication process. It is the lack of MFA protection (a key blind spot) in AD environments that allows lateral movement attacks to continue to occur.
At this point, you may be wondering why, even in 2023, we are using a 20+ year old technology that still doesn’t support basic security measures like MFA. You’re right to ask this question, but what’s more important at the moment is the fact that this is the reality in nearly 100% of the environments (including yours). Therefore, it is important to understand their security implications.
Creating easily implemented MFA policies for all privileged accounts is the only way to prevent compromise. With no customizations or network segmentation dependencies, you’ll have Silverfort up and running in minutes. Discover how to protect privileged accounts Now, quickly and seamlessly protect against breaches with adaptive access policies that apply MFA protection to all on-premises and cloud resources.
Don’t forget your service account.
To add another dimension to the challenge of lateral movement protection, be aware that not all accounts are created equal. Some of them are substantially more vulnerable than others. Service accounts used for machine-to-machine access are a prime example. Because these accounts are not associated with human users, they are poorly monitored by IT teams and can even be forgotten. However, they typically have high access privileges and can access most machines in the environment. This makes them attractive compromise targets for threat actors who use them whenever possible. This lack of service account visibility and protection is the second blind spot that lateral movement actors rely on..
Silverfort enables real-time protection against lateral movement
silver fort Pioneers the first Unified Identity Protection platform that can extend MFA to any resource, regardless of whether it natively supports MFA. Leveraging agentless and proxyless technology, Silverfort integrates directly with AD. With this integration, whenever AD receives an access request, it forwards it to Silverfort. Silverfort then analyzes the access request and asks the user for her MFA if necessary. Based on the user’s response, Silverfort decides whether to trust the user and passes that decision to AD. AD grants or denies access as needed.
Preventing Root Lateral Movement #1: Extending MFA to Command Line Access
Silverfort can apply MFA protection to any command line access tool (PsExec, Remote PowerShell, WMI, etc.). With the MFA policy enabled, when an attacker attempts to perform lateral movement via the command line, Silverfort will push her MFA prompt to the real user to see if they initiated that access attempt. ask you to If the user denies this, access will be blocked. Attackers don’t understand why methods that used to work are now hitting a wall.
Preventing Radical Lateral Movement #2: Automating Visibility and Protection of Service Accounts
Service accounts cannot be MFA-protected (as non-human users, their identities cannot be verified through mobile phone notifications), but they can be. This is because service accounts (unlike human users) exhibit highly repetitive and predictable behavior. Silverfort takes advantage of this by automating the creation of policies for all service accounts. Once activated, you can send an alert or completely block access to your service account whenever deviation standard activity is detected. Even if an attacker has service account credentials, exploiting a compromised service account inevitably leads to deviations because the attacker does not know the standard usage of the account. As a result, any attempt to perform lateral movement using a compromised service account will be stopped cold.
Do you think lateral movement is a risk that needs to be addressed? schedule a call with one of our experts.
