Preventing Lateral Movement Through Network Access Visibility
In the first five months of this year, we have already witnessed multiple cyber attacks against critical infrastructure in the US. Those events range from an individual endangering people’s life by poisoning a water-treatment facility to large organized groups disrupting fuel delivery to a significant part of the country.
The increasing number and sophistication of such incidents have reinforced the importance of building resilient cyber infrastructure. Organizations have started identifying their critical systems and protecting them with multiple cyber-defense layers. However, many connected systems that form the perimeter of the organization’s network remain exposed. Such devices include external-facing servers and corporate workstations. Attackers often exploit the perimeter, leveraging existing networking services and unknown loopholes to reach the network’s crown jewels. That approach is termed lateral movement—a set of activities used by attackers to make their way from the initial entry point to critical assets. In such an expansion phase, attackers utilize several exploit techniques and use intermediate devices as stepping stones. Eventually, lateral movement enables attackers to launch data exfiltration or service disruption.
Lateral Movement in Action: the SolarWinds Incident
In the words of Brad Smith, President, Microsoft, the 2020 SolarWinds supply chain attack was an “attack on the United States and its government and other critical institutions, including security firms.” The incident that came into public space in December 2020 had occurred between March and June that year. Sophisticated advanced persistent threat (APT) actors introduced malicious code into the vendor’s Orion platform, a network and endpoint management software. Subsequently, the download of the compromised software provided the APT with a foothold into IT networks of more than 18,000 SolarWinds’ customers that included federal agencies and major private organizations.
Figure 1 illustrates how the malware virtually made it from the Internet to critical segments of a target network. First, the compromised Orion software gave attackers a backdoor into the victim system. Second, since a network management system is typically authorized to have two-way communication with all the devices, attackers could collect authentication keys and tokens. Brute-force password cracking attacks might have also helped attackers to gain privileged access to critical servers. With knowledge of internal architecture and access to credentials, the malicious traffic could go undetected, giving attackers access to confidential information and important services. Due to the large number of entities affected, investigators believe that the extent of the damage from the attack will take years to unravel. Attackers may also carry out follow on attacks using the information collected and tools deployed in victim networks.
Figure 1: Lateral movement in the SolarWinds incident utilized (1) delivery of malware through software update mechanism, (2) Internal reconnaissance and credential harvesting through trusted communications, and (3) Data exfiltration or service disruption.
Why does Lateral Movement Need Special Attention?
Lateral movement has been an essential step in a majority of recent cyber attacks. However, since it is a precursor to the actual action on target, organizations have an excellent reason to invest more in defending against lateral movement and the steps that lead to it. Such preparedness would save them significant costs that they would otherwise spend on incident response and repair.
Achieving resiliency against lateral movement attacks is challenging for three core reasons. First, the attack vectors and techniques that the adversaries can adopt are virtually unlimited. Next, the sophistication of attackers in utilizing benign OS and networking services is increasing. Finally, even though network access and security policies aim to segment networks effectively, unwanted access paths can easily result from misconfigurations, software bugs, and human errors. For example, misconfiguration of firewall access policies was a primary enabler of the attacker’s lateral movement in the 2013 Target Corporation data breach and 2015-16 Ukrainian power grid incident.
Preventing Lateral Movement
One important insight that benefits the defender is that an adversary, to move laterally, must have several interactions with the network and leverage the existing access patterns. Therefore, the awareness of network assets and access paths can be vital in measuring and reducing risk concerning lateral movement. Here, an access path refers to a possible network connection between two devices.
At a high level, a common approach to understand lateral movements and reduce risk exposure consists of the following steps:
- Computing risk metrics by analyzing the graph structure generated by network paths
- Specializing the metrics with additional context from services and vulnerabilities
- Changing network configuration to decrease the risk
The first step involves constructing a network access graph and selecting relevant metric(s) to quantify the risk. One commonly adopted metric is the number of (strongly) connected components. A strongly connected component is a directed graph in which every node is reachable from every other node. Because of that property, a connected component becomes a single lateral movement domain. Hence, the presence of large connected components in the network access graph indicates network zones with higher risk.
Figure 2 depicts a sample network segmented into subnets using a Cisco firewall. The figure summarizes network access paths in terms of a connectivity matrix between the different subnets. Such connectivity means that the entire network is one connected component. That is a state of high risk with respect to lateral movement and should be fixed.
Figure 2: With the access policies configured as shown in the table, the network becomes a single fully-connected graph.
It is easy to see the value of such analysis for real-world networks consisting of many firewalls and routers. In the second step of the overall process, we can further specialize access paths for specifics of the underlying network and the likely attack vectors. In that context, defenders can implement the following approaches relying on the situational awareness obtained in the previous step:
- Analyze paths, both inbound and outbound, for specific networks and devices
- Filter paths per service type (protocol-port combinations) to focus more on lateral movement vectors such as authentication, remote access, file transfer, and sharing services
- Correlate paths with vulnerability information to evaluate the reachability of highly vulnerable parts of the network to high-value assets
The final step in the risk mitigation process is to be able to identify root causes and fix them. With the precise and actionable information collected so far, security admins can take concrete steps, including the following:
- Break down large connected components into many smaller ones to limit the extents of lateral movement domains
- Limit reachability of highly vulnerable nodes to critical assets
For instance, in the network presented previously, an admin may choose to limit direct access from ‘Marketing’ to the rest of the network. To accomplish that, as we show in Figure 3a, she can select the specific path and correlate it with the corresponding configuration entry. She can then quickly limit the connectivity and transform the network to a safer state of Figure 3b.
Figure 3a: Correlating network paths (shown by red arrows) with the corresponding entry in firewall configurations (highlighted by the red box).
Figure 3b: Modifying firewall configuration leads to segmenting the network in multiple connected components and improving the overall security posture.
Responding to Lateral Movement
The recent attacks against critical infrastructure have reinforced that lateral movement is an integral part of cyber threats. Therefore, as soon as an initial compromise is detected, quickly determining which other systems are endangered is the key to minimizing the damage. Subsequently, one can isolate those assets and restore them in a safe state.
An accurate understanding of current access paths is a strong ally to reduce risk exposure. Security teams can examine outgoing network access paths from suspected compromised nodes and filter them using compromised services to limit the search space. In particular, a stepping-stone analysis is essential to tell how far specific systems are from a network access standpoint. We have discussed such analyses in detail in our previous article on accelerating incident response.
In this article, we have discussed strategies for countering malicious lateral movement. Specifically, we have demonstrated that situational awareness of network assets and access paths is crucial for blocking lateral movement. In that context, we have illustrated the use of two graph-based risk metrics: number of connected components and reachability.
Experts have emphasized the importance for cyber-resilient organizations to think in graphs. However, understanding the complex architecture of multi-layer networks can be extremely challenging. Network Perception’s solutions NP-View and NP-Live have been designed to address this challenge by enabling real-time visibility into network assets and access paths, making it easy to adopt the graph-thinking paradigm in practice.