Lateral movement is one of the most consequential types of network activity for which organizations need to be on the lookout. After accessing a network, the attacker maintains ongoing access by essentially stirring through the compromised environment and obtaining increased privileges (known as “escalation of privileges”) using various tools and techniques. Attackers then use those privileges to move deeper into a network in search of treasured data and other value-based assets.

Lateral movement is an important approach that differentiates today’s advanced persistent threats (APTs) from traditional cyberattacks. It’s a sign of threat actors who are sophisticated enough to work towards avoiding detection and retaining access even if their presence is discovered on the machine that it first infected. With this extended dwell time, the threat actor might not begin pilfering data until weeks or even months after the original breach occurred.

Network Knowledge: The Key to Beating Lateral Movement

In order to defend against lateral movement, it’s important to understand what the environment should look like, how it is managed, and how it can be set up for optimal operations.

Having a security baseline that’s tied to critical information security controls is of paramount importance in that effort. Indeed, as hardware, software, and other assets deviate from their secure baselines, these changes become clear indicators of whether something is out of compliance with the baseline’s “golden image.” But, what processes should you use to maintain the configurations? What is the process going to be for ongoing monitoring for change in these devices?

As an example, imagine that your router deviates from its baseline configuration. You need to be able to identify what those changes were in order to figure out if they’re part of suspicious activity. Regardless of whether they’re benign or malicious, you then need to (Read more...)