It will be rare that an attacker exploits a single system and does not attempt any lateral movement within the network. Even ransomware that typically targets a single system at a time has attempted to spread across the network looking for other victims. More often than not, an attacker will gain an initial foothold and start to pivot across systems looking to gain higher access in search for their ultimate objectives.

Mitigating and Detecting Abuse with Lateral Movement

There’s good news when it comes to both mitigating and detecting abuse of this specific technique: proper network segmentation makes mitigation in large part possible. Placing critical systems in one subnet, generic users in another, and system administrators in a third is a quick way to help isolate lateral movement in smaller networks.

Placing firewalls on both the endpoints and the switch level will also help limit lateral movement. Relying on only endpoint firewalls will be a management nightmare, while relying only on network firewalls will allow pivoting on the same network.

Following CIS Control 14, Controlled Access Based on the Need to Know, is a great starting point when looking for guidance on how to mitigate most of these threats. In addition to that, follow Control 4, Controlled Use of Administrative Privileges, as well. Attackers are after administrator credentials, so tightly controlling how and where they are used will make it more difficult for attackers to steal them. The other portion of this control is logging administrative credential use.

Even though administrators are using their credentials on a daily basis, they should fall into routine patterns. Identifying anomalous behavior can be an indication that an attacker is abusing valid credentials.

Beyond monitoring authentication logs, the audit logs are critical, as well. Event ID 4769 on a domain controller will (Read more...)