Verizon’s 2020 Data Breach Investigations Report (DBIR) highlights the nature of the cyber threats currently facing the business world.
The data shows that 72% of the victims of breaches were large businesses. Breaches were overwhelmingly – 86% — financially motivated. This helps explain why the most common victims were large businesses: They have the deep pockets to pay off ransoms. In 58% of the cases personal data was compromised – many cyberattacks focus on collecting credit card information, or failing that, other personal data that could be used to engage in identity theft.
In 37% of the breaches the cyberthieves used stolen credentials; a further 8% of the cases involved misuse by authorized users. In total 45%, nearly half, of the breaches were committed by users that appeared to be authorized – but who were, in fact, criminals.
Other common attack vectors were phishing, malware/ransomware, and misconfiguration.
The vast majority of attackers are highly sophisticated. Cybercrime is no longer the domain of disaffected lone attackers sitting in basements at 3 AM – if it ever was. Nearly 70% of attacks were carried out by either organized crime rings or nation-state affiliated actors.
With the recent headlines about successful supply-chain attacks, it’s become increasingly clear that no cybersecurity system can be 100% foolproof. Even corporations that are highly regulated, careful and stay on the cutting edge of cybersecurity techniques can find themselves the victim of an attack. It is therefore essential to take steps to reduce the damage that a hacker can do if they breach your defenses. Preventing lateral movement within the network is one important way to minimize damage.
What is Lateral Movement?
Lateral movement refers to the ability of a user to move around within a network once they have been authorized to have access. Classic cybersecurity structures used a “castle with a moat” architecture, entailing very strong defenses to keep unauthorized individuals out – but permitting free movement within once a user had been allowed into the castle.
Lateral movement is that movement within the network, as a user accesses one application and then another, or accesses resources on one server and then others within the same network. This is also referred to as “East-West” traffic, distinguishing it from the users who are entering the network from outside, which is generally referred to as “North-South” traffic.
Why is Lateral Movement a Concern?
In the old way of thinking, any user who was authorized to log onto an organization’s network could be trusted once they were within. Clearly, with 45% of breaches committed by users who appeared to be authorized, as mentioned above, this assumption no longer holds. Malicious actors are successfully authorizing into organizations’ networks (legitimately or not) and once they get in, unfettered lateral movement means that once within the “castle walls”, the malicious actor has access to everything.
Of course, a cybercriminal who breaks in with the credentials of a low-level employee will not have credentials to access, for instance, a company payroll system, credit card information, personal data, or corporate secrets. But if there is nothing to prevent lateral movement, they will be able to move around and identify the treasure they are seeking. And once they can see where the riches are, breaking in is relatively simple for any cybercriminal who has earned the title.
Preventing Lateral Movement as Part of a “Zero Trust” Philosophy
“Zero Trust” is the most revolutionary concept in network security today. It rejects the idea that once a user is authorized within a network, they should have free access to all that’s within. Zero Trust posits that no authenticated user should automatically be fully trusted to access everything. And it likewise assumes that every website and other outside resource that systems access — such as documents to be downloaded — might be a vector for malware.
Eliminating or sharply limiting lateral movement is an important element of a strong network security strategy, but certainly not the only one. It’s at least as important to keep unauthorized users out to begin with. Password management is an important tool: the system should require users to have strong passwords that can’t be easily guessed. Users should be educated on the importance of unique passwords – reusing passwords means that if a hacker steals a password for one application, they can access additional networks, resources or applications that use the same one. Even better is to require multifactor authentication. With multifactor authentication in place stolen credentials aren’t enough to enable a malicious actor to access the system.
Basic cybersecurity hygiene – keeping all software up to date, installing security patches promptly, requiring passwords to be changed — are important. Cybersecurity audits should be conducted periodically to identify misconfigurations, since misconfigured software is a surprisingly common, and preventable, way that hackers break into networks. Consider using virtual computing for your remote users – with a “clientless” setup such as Ericom Connect, users don’t need software or plugins on their devices, minimizing vulnerabilities.
With significant numbers of attacks coming from “trusted insiders,” it’s important to have robust procedures in place for screening prospective employees.
Phishing attacks and malware are common attack vectors. Using Remote Browser Isolation (RBI), where all web browsing is done in a one-time use cloud container on an isolated server, prevents accidentally installing malware on the company’s servers.
Cloud App Isolation is a valuable and highly effective way to protect your apps from malicious users. One way to implement Cloud App Isolation is to require all users to access apps via a remote virtual browser, located in a container in the cloud. This creates an air gap between the app code and the internet, which prevents malicious users from being able to see or access the actual code and thereby insert malware or accurately spoof it for malicious purpose.
While preventing unauthorized lateral movement is ideal, it’s also important to have strong systems in place to detect unauthorized lateral movement, should it occur. Most large companies have such systems in place, since prompt detection of and response to unusual lateral movement allows an attack to be shut down before much damage is done. While false positives from an overly sensitive detection system is a concern, it is relatively minor compared with the damage that might be prevented.
How to Prevent Lateral Movement
Fortunately, there are a number of ways to make it more difficult for bad guys to move laterally through your network.
- Minimize use of privileged accounts. Privileged accounts – such as administrator accounts – are dangerous. Administrators are often able to move laterally throughout the network and may have access to everything, including the operating system. System administrators should have standard logins, in addition to their privileged administrator accounts. To minimize exposure of highly privileged accounts, these accounts should be used only when those extra privileges are needed for the task at hand. Otherwise, even system administrators should use a standard login. There are also ways to reduce the potential exposure from privileged accounts through techniques such as creating one-time use accounts to enable specific tasks.
- Implement Zero Trust Network Access (ZTNA). ZTNA protects against lateral movement by leveraging the principle of least privilege access. With least privilege access, users only can access the data and applications they need to get their job done. This provides a couple of important forms of protection. If a “trusted insider” turned out to not be trustworthy, the damage they can do is limited to the few resources to which they have access. The same principle applies if credentials are stolen: if someone did have access to a stolen credential to access the system, they would still only have access to whatever that user was authorized to see.
Least Privilege access is typically implemented through Role Based Access Control (RBAC), which assigns access privileges to a pre-determined set of apps and data to all users who have the same title or role within a company. Ideally, to truly limit access to the resources needed, privileges should be tailored to individuals, not roles. This approach, however, is highly labor intensive and as such, relatively few companies adopt it. Ericom Application Isolator automates access privilege assignment at the individual level, minimizing the administrative burden of assigning rights to apps on the individual level and enabling true least privilege protection.
- Implement microsegmentation. ZTNA controls users access to apps. Microsegmentation very specifically limits lateral movement between components on the network. Microsegmentation can be implemented down to the individual workload level, so that lateral movement within the network is severely limited. Ericom Application Isolator, for instance, prevents users from even seeing apps that they are not authorized to use.
- Implement context-based access control. ZTNA can go beyond restricting users to certain apps – it can be implemented so that it is also context sensitive, so that users only have access to certain apps at certain times, or from certain devices, or from certain places. This can also thwart the ability of cybercriminals to make use of stolen credentials.
No matter how vigilant a company’s IT department is, there will be times when cyberthieves manage to breach their cyber defenses. Minimizing lateral movement within the network is a vitally important tool to minimize the damage that can be done by those attacks.
Implementing a Zero Trust philosophy as the basis for your company’s cybersecurity is the best way to secure your network. It may seem a little paranoid, but as the quip goes, “just because you’re paranoid doesn’t mean they’re not out to get you.” With the cost of data breaches running to the millions of dollars, it’s better to err on the side of being cautious.
Today’s corporate IT environments are highly complex. Users may be working from within the network at the corporate office, or they may be working remotely (increasingly common since the start of the coronavirus pandemic). With most companies operating in a hybrid cloud environment, the resources they are accessing may be either on the corporate network or in the cloud.
Cloud-hosted cybersecurity services are an ideal solution for enabling organizations to manage this complex environment. While the services are hosted in the cloud, policy enforcement is managed at local Points of Presence (PoP) at the edge, allowing companies to enforce user-based policies regardless of where the user is – in the office, on the road, or at home. For more information about protecting against lateral movement attacks, download our free white paper, Time to Upgrade to Zero Trust Network Access.