Tracking attackers and preventing their lateral movement across your network will help you better protect against persistent attacks.
Speaking with Donato Capitella, security consultant at MWR Infosecurity, he said that if an attack is successful it doesn’t mean game over, but if they compromise you they should not have access to everything in order to get to a target.
“We can try and make life harder or make it more painful by importing controls together,” he said. “You can have the best detection and intrusion prevention, but the two things need to go together.”
He said that with attacks enabled by spear-phishing, once an attacker gets into a workstation they exploit the privilege of the user and will not do anything that is too suspicious, but will try to do “lateral movement” as the victim does not know where they are in the network, and explore file shares and other users.
He explained that once an attacker gets in, they should not have the opportunity to do more and if we can stop them, then they don’t make the news. “Most of the time they can move around laterally, making it very difficult to stop or detect them, which is what needs to be happening,” he said.
A common problem is that the activities between the compromise and malicious activity are difficult to detect if you don’t have the right infrastructure on your network to detect that. So if an attacker compromises the endpoint and needs to talk out, if there is outbound filtering implemented, then it is very difficult for the attacker to connect back to the machine.
“With a proxy there, the attacker needs to go through that and it makes it more difficult as they might have proxy logs that show the connection. So you slow them down and make them more detectable, and all security controls can be part of deploying secure builds,” he said.
Capitella said that there are technologies that will slow down an attacker providing more ways to detect them and the harder it is, the slower it will be for them. “By implementing security controls, you force the attacker down the path of least resistance and it becomes to easier to spot them,” he said.
“You are forcing them down that way; application whitelisting it is important for security and controls and an attacker needs to develop a zero-day and that is more expensive. It is not 100 per cent bulletproof, but it will stop some attackers and this makes it more difficult for skilled attackers and you have a better chance of detecting and monitoring what they are doing or stopping them immediately.”
I asked Capitella if he sees a lot of use of the outbound proxy, and he said that often clients deploy application whitelisting across the infrastructure, while removing privilege from regular users works well. “A control is taking away administrator privilege from the attacker as now they have to work without privilege escalation; if they are skilled they can do it, but you slow them down,” he said.
He also said that data loss prevention tools can be used too as part of the “mix”, and if you have to prioritise, implementing a good strategy for hardening and forcing attackers down the “difficult” path and detecting anomalies in configuration is the main thing.
I asked him for his recommendations on what companies can do to enable such hardened measures to prevent lateral movement of an attacker. He recommended having a holistic strategy for detection and prevention as much as you can, and consider adding: application whitelisting; taking away administrator privileges; segregate users and networks so it is more difficult for an attacker to strike; and patch everything, particularly on client side software.
“To accommodate for this, you need to work as best as you with detection and intrusion prevention systems and work to focus monitoring on the area of least resistance and that will help you in the process of using things to detect attackers,” he said.
Donato Capitella, security consultant at MWR Infosecurity, was talking to Dan Raywood Learn more about MWR Infosecurity’s training options here