Only a few years ago, lateral moves were a tactic confined to top APT cybercrime organizations and nation-state operators. Today, however, it has become a commoditized tool, well within the expertise of any ransomware threat actor. This makes real-time detection and prevention of lateral movement a necessity for organizations of all sizes and in all industries. But the disturbing truth is that there aren’t really any tools in today’s security stack that can provide this real-time protection, creating the most critical security flaw in an organization’s security architecture.
In this article, we’ll address the most important questions around lateral motion protection challenges, understand why multi-factor authentication (MFA) and service account protection are possible loopholes, and learn how the Silverfort platform turned the tables on attackers and made lateral motion protection finally within reach.
Upcoming Webinars: If you’re interested in learning more about lateral motion and how to prevent it in real time, we invite you to do so sign up for our upcoming webinar. Industry experts will share valuable insights on these issues and answer any questions you may have.
Ready? Let’s start.
Why is lateral movement a critical risk for organizations?
Lateral movement is the stage where a compromise of one endpoint becomes a compromise of additional workstations and servers in the targeted environment. This is the difference between a single encrypted machine and a potential downtime. Lateral movement is used in over 80% of ransomware attacks, making it a risk for any organization in the world willing to pay to redeem their data from attackers.
So how does lateral movement actually work?
It’s actually quite simple. Unlike malware, which comes in many forms, the process of lateral movement is straightforward. In an organizational environment, any user logged on to a workstation or server can access additional machines in the environment by opening a command-line prompt and typing a connection command, along with their username and password. This means that all an adversary has to do to move sideways is come up with a valid username and password. Once obtained, attackers can then use these compromised credentials to access resources as if they were legitimate users.
It sounds simple, so why is it hard to prevent?
As surprising as it sounds, there really isn’t a tool in the identity or security stack that can detect and prevent lateral movements in real-time. This is because what is needed is the ability to intercept the authentication itself, in which case an attacker provides compromised credentials to Active Directory (AD). Unfortunately, AD – being legacy software – is only capable of one security check: do usernames and passwords match. If so, access is granted; otherwise, access is denied. AD has no ability to distinguish between valid and malicious authentication, only the ability to validate the credentials provided.
But shouldn’t the MFA be able to solve this?
In theory. But here’s the thing: Remember that command line window mentioned earlier about how lateral moves are executed? Guess what. Command line access is based on two authentication protocols (NTLM and Kerberos) that don’t actually support MFA. These protocols were written long before MFA existed. And by “not support”, we mean here that you can’t add an extra stage to the authentication process that says, “these credentials are valid, but let’s wait for the user to verify their identity.” It is this lack of MFA protection in the AD environment – a major blind spot – that allows lateral movement attacks to persist.
At this point, you may be wondering why in 2023 we are still using technology from more than 20 years ago that doesn’t support basic security measures like MFA. You’re right to ask this question, but right now, what’s more important is the fact that this is a reality in almost 100% of environments – including you. That’s why it’s so important to understand the security implications of this.
Creating easy-to-enforce MFA policies for all of your privileged accounts is the only way to ensure they aren’t compromised. With no need for customization or dependency on network segmentation, you can be up and running in minutes with Silverfort. Find out how to protect your special account from compromise quickly and seamlessly to adaptive access policies that enforce MFA protection across all current on-premises and cloud resources.
Don’t forget service accounts – they are invisible, very special, and nearly impossible to protect
To add another dimension to the lateral motion protection challenge, keep in mind that not all accounts are created equal. Some of them are materially more vulnerable to attack than others. Service accounts, which are used for machine-to-machine access, are a prime example. These accounts are not associated with any human users, so they are under-monitored and sometimes even forgotten by IT teams. But they usually have elevated privileges and can access most machines in the environment. This makes them attractive compromise targets for threat actors, who use them whenever they can. This lack of visibility and account protection of these services is the second blind spot that lateral movers rely on.
Silverfort enables real-time protection against lateral movement
Silverfort pioneered the first Unified Identity Protection platform that can extend MFA to any resource, regardless of whether it supports MFA natively or not. Leveraging agent-less, proxy-free technology, Silverfort integrates directly with AD. With this integration, whenever AD gets an access request, AD will forward it to Silverfort. Silverfort then analyzes the access request and, if necessary, challenges the user with MFA. Based on the user’s response, Silverfort determines whether or not to trust the user, and passes the decision to AD who then grants or denies access as necessary.
Preventing lateral movement in root #1: Extending MFA to command line access
Silverfort can apply MFA protection to any command-line access tool – PsExec, Remote PowerShell, WMI, and others. With the MFA policy enabled, if an attacker tries to perform a lateral move via the command line, Silverfort will push an MFA prompt to the real user, asking them to verify if they initiated the access attempt. When the user refuses this, access is blocked – leaving the attacker confused as to why a method that has worked flawlessly in the past is now a deadlock.
Preventing lateral movement in root #2: Automatic visibility and protection of service accounts
While service accounts can’t be subject to MFA protection – as non-human users, they can’t confirm their identity with a phone notification – they can still be protected. This is because service accounts (unlike human users) exhibit highly repetitive and predictable behavior. Silverfort takes advantage of this by automating policy creation for each service account. When enabled, they can send alerts or block service account access altogether whenever standard deviation activity is detected. Malicious use of a compromised service account inevitably creates malfeasance because even if an attacker had the service account credentials, they would not be aware of the standard usage of the account. The upshot is that any attempt to use the compromised service account for lateral movement will be cold terminated.
Do you see sideways movement as a risk that you need to work on? Schedule a call with one of our experts.