On this week’s SecurityIntelligence podcast, prolific security pontificators Pam Cobb and David Moulton are at it again — and this time, they’ve got the high-risk, low-noise threat vector known as lateral movement in their sights. Bolstering their collective security insight are IBM Incident Response and Intelligence Services’ (IRIS) incident response consultant Joey Victorino and IBM threat intelligent expert Charles DeBeck.
What Is Lateral Movement?
According to Victorino, lateral movement “consists of a series of techniques that enable an adversary to access and control remote systems in a network.” Instead of attacking key targets directly, lateral threats go after information on corporate devices, such as cached credentials from privileged users, allowing them to pivot across infrastructure and access critical data.
Phishing remains one of the most common starting points for lateral attacks. Cybercriminals target large departments such as human resources and finance with socially engineered emails to gain initial access. What they really want is kept elsewhere, behind more secure corporate lines, but once they’re past the perimeter, even peripheral systems become critical points of compromise.
Adding to the problem is the low noise produced by lateral attacks, since they often leverage common IT solutions and processes to blend in with typical behavior. This allows threat actors to quickly expand their impact. As DeBeck notes, “When you have one computer that’s infected, that’s annoying. When you have 1,000 computers infected, that’s a problem.”
The Four Second Rule: Why Lateral Attacks Are Built for Speed
Four seconds doesn’t seem like a long time, but it’s long enough for malicious actors to infect systems via email attacks and start pivoting across your network. While Victorino notes that advanced persistent threat (APT) groups looking to carry out reconnaissance or deploy more sophisticated attacks will take more time and “do this in a much less noisy manner,” lateral attacks are still built for speed.
Increasing this risk are toolkits capable of automating key processes. According to DeBeck, attacks “happen as quickly as the computer can process commands, rather than requiring the actual individual to type things out.”
Focus on Your Strategic, Tactical and Operational Defense
To limit the success of lateral movement attacks, Victorino and DeBeck recommend increasing focus on three key defense domains:
- Strategic — For Victorino, strategy starts with network design: “Are you on a flat network? Do you have different locations on specific subnets?” Also critical is tool restriction; organizations need to watch for tools such as PsExec that are commonly used by threat actors.
- Tactical — Tactically, visibility is key. Organizations need detective solutions in place capable of capturing unexpected logins, tool use and remote user access.
- Operational — Here, the principal of least privilege informs lateral threat defense. This includes password management and multifactor authentication (MFA). According to DeBeck, “MFA is one of the easiest, cheapest, most effective ways for an organization to reduce lateral movement across the board.”
Lateral movement represents a low-noise, high-risk threat to organizations. Security teams can combat this quick-fire compromise with improved strategic, tactical and operational security.
Pam: I’m going to start by asking us to pause for exactly four seconds. Do you know what just happened in that four seconds, hypothetically speaking?
David: Well, if I’m going to take a guess if our guests aren’t listening, or maybe they’re driving, and they’re paying attention to something else, they think the podcast player they have stopped working. Or maybe you were giving lightning 400 tries to strike the earth.
Pam: I would say that lightning struck on this most recent podcast, David. Good times. So upcoming, we’ve got a discussion on lateral movement, which is not a fancy dance craze, it is actually an attack mechanism. So we are talking about the speed of lateral movement and what exactly happens in those four seconds when it comes to this type of attack.
David: So how would you describe lateral movement to somebody who’s just coming in and hearing about it for the first time?
Pam: I would think that it is akin to getting into the thing that you want. Let’s say you’re getting into a party, you really want to go to this party, you got invited to the lame-o foyer of the party. You haven’t made it into the cool back room and you’re figuring out how you’re going to sidle into that super awesome back room where all the action is happening.
David: But I’m going to guess attackers use it to do things that aren’t as harmless as getting into the cool party.
Pam: This is the “Security Intelligence Podcast” where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
Pam: Two of my colleagues, Charles DeBeck and Joey Victorino, join me to discuss lateral movement. Now, you may notice that I really geek out over this kind of topic. This goes back to my origins at Internet Security Systems when my dream job was working with X-Force and helping tell their stories. So podcast was a nice way to close that nice 12-year journey that I’ve been on.
And so I was really excited to talk to them. So we ended up discussing why cybercriminals use lateral movement, some of the business risks, and what some things that businesses can do to protect themselves. And even a little bit of reassurance that the user isn’t always at fault. Here’s our conversation.
Pam: So I want to welcome Charles and Joey to the podcast. I’m hoping you all can give us a little introduction on your backgrounds, and what brings you here to talk to us today. So Joey, let’s start with you.
Joey: Hi, my name is Joey Victorino. I’m a member of the Incident Response and Intelligence Services team here at IBM Security also known as IRIS. The goal of our team is to assist clients respond to cybersecurity incidents that have negatively impact their business.
I’ve been working as an Incident Response Consultant for the past three years leading engagements from beginning to end as both a digital forensics investigator and incident handler. Some of the client engagements that I have managed include investigations related to cybercrime, malware, fraud and data exploitation.
Pam: Great. So Charles, tell us a little bit about your background.
Charles: Sure. Hi, my name is Charles DeBeck. My background is in threat intelligence, in both the public and private sectors. I worked for the Department of Defense, and then Deloitte, now for IBM as part of their Threat Intelligence Production team. And I’ve worked in a variety of different roles in the threat intelligence area for these entities. And thank you so much for having me.
Pam: Absolutely. So we wanted to talk a little bit today about lateral movement. And you know, maybe what that means beyond a weird line dancing phenomenon, how does that apply to cybersecurity.
Joey: So lateral movement consists of a series of techniques that enable an adversary to access and control remote systems in a network. And it could also but not necessarily mean execution of their tools on those remote systems. The lateral movement techniques could also allow an adversary to gather information from a system without needing any additional malware or tools to be able to achieve that goal.
So once an attacker is able to breach an organization, the objective they’re looking for might not be on the machine they actually compromise. So they gather information available on that machine to be able to pivot across the infrastructure to be able to get to the data that they’re looking for.
Pam: So if they’re able to get in through a misconfigured database, they’re able to take advantage of that and go to a different server in the network to maybe get the information they’re actually going for. Is that right?
Joey: That’s right, one of the most classic examples that we are currently seeing out in the field is a user being phished either in a department not related to the information that the threat actor is seeking, such as human resources or finance. And that machine will have cache credentials from an administrator or privileged user that has logged into that machine. And the attacker is able to dump those credentials and use them to pivot or connect remotely to the machine where the data that they’re seeking might reside.
Pam: So do you think in this example of phishing, are certain departments targeted more maybe because of a lack of cyber awareness or just maybe not as good adherence to the corporate mandates on their required cybersecurity training?
Joey: So the sample of HR and finance in my previous question, it doesn’t necessarily mean those users are more susceptible; it’s that they’re usually targeted more. And a persistent attacker is going to do quite a bit of digging into the background, and sometimes even engage via social media to be able to get a level of confidence from the user being targeted. Now we have seen users from all departments, even outside vendors be targeted in the past. So there’s not necessarily a department of users that will be more susceptible. I think that in order to mitigate that as a risk, an organization needs to take regularly, security awareness training.
Charles: More broadly, I think from a threat actor perspective, the issue run into is that it kind of depends on what you’re targeting, and what your end goal is. You know, if my goal is to get research and development information, I might be targeting that particular sector of an organization. If I’m just going after financial, I could go after any subsection of the organization.
But really, that’s all sort of ties into the initial infection vector. And that’s, I think, just one element that happens, in the overall attack chain. But I think what we’re really interested in is the next step, you know, after they get in, how they’re laterally moving within the organization to where they want to be.
Pam: And how fast can that happen? Is it a matter of seconds, minutes, hours, days?
Joey: It really depends on the attacker and the toolset being used. We have seen examples of network worms such as QakBot, or Emotet, that once the malware executes successfully on a compromised machine, they start pivoting across the network in as little as four seconds. So that’s from the moment the user clicks on the email to the malware pivoting across other machines. That time is four seconds.
Now, if APT group or more sophisticated attacker is targeting an organization, they’re likely going to do some reconnaissance on the machine first, and try to get a feel of the environment before moving across. And they’re going to do this in a much less noisy manner.
Charles: One element here that’s really changed historically to now is historically we’ve seen lateral movement being done sort of manually. We have threat actors getting into an environment, getting into an organization, and then have to actually manually go in, type some stuff in and actually balance between machines themselves.
We’ve seen a real shift over the last few years however, to this being done on a more automatic fashion — this is more automated from the threat actor perspective. This allows for lateral movement to happen much faster, because then simply happens as quickly as the computer can process the commands rather than requiring the actual individual to type things out. So this is a lot easier for threat actors.
Pam: So do you think that this transition to automated toolkits is due to the prevalence of malware as a service available out there on the dark web? Or do you think there’s other factors that contribute?
Charles: I think there’s a number of contributing factors as to why we’re seeing this shift. From a threat actor perspective, it’s certainly cheaper and easier to do it this way. It takes a lot less time. And for threat actors, it’s all about time, you know, how can I most quickly, most efficiently get money. And so an automated approach is a great way for them to be able to maximize efficiency.
Malware as a service as well, I think is a great point, and I think is definitely contributing to this shift. Because if I have those lateral movement capabilities already baked into the malware, then it means that I don’t have to figure out how to do it on my own, I don’t have to worry about it, it just sort of happens, as if by magic from a threat actor perspective. Which is great, because it makes my job a lot easier.
And the proliferation of these services has really made it easier for low sophistication threat actors, you know, just random Joe’s coming in off the streets trying to engage in this sort of activity, to be able to engage in very sophisticated lateral movement. Whereas, historically, one had to be very knowledgeable and skilled to be able to do this yourself.
Pam: So Joey talked about there being kind of low noise to this sort of activity. How hard is it to detect in a network?
Joey: That activity can be very difficult to detect at times. A sophisticated actor, by definition from a forensics point of view, is sophisticated because of the methodologies that they use. So we have seen a large spike in the usage of Windows tools that are already included, such as remote administration services, to include PowerShell remoting, PsExec, or Windows Management Instrumentation also known as WMI. These techniques blend in with the same activity that you would be expecting to see from a systems administrator.
So unless the organization has detection capabilities, and monitoring in place, and knows what normal looks like in their environment, it’s very likely that these techniques will fly under the radar until it’s too late, or the attacker has achieved his goal, and was able to remove forensic artifacts from the machine. In which case, you would have to rely on logs, which I’m sorry to say that many organizations are not keeping the proper amount of logs, both for the length of time or collecting from the appropriate amount of sources.
Charles: And I really want to hit on that, one of the points that Joey made, which is the need for a baseline for organizations. One of the biggest challenges to detecting lateral movement within an organization is you have to say, “Hey, am I seeing activity that’s anomalous, that’s unusual for my organization.” Based on a baseline, we’ve already established what normal activity looks like. Because if I don’t know what normal looks like, how can I possibly tell you what abnormal looks like?
And for a lot of organizations, they don’t have the resources, or the visibility, or the capability to be able to baseline the activity. So this activity can go undetected for a long period of time because they simply don’t know what to look for. And that’s especially challenging, I think, for small to medium-sized organizations who maybe don’t have the resources to invest in this sort of investigation baselining.
Pam: So when an organization is susceptible to this kind of lateral movement from attackers, what are the business risks on the flip side of it? We know, you know, you can wreak havoc on IT systems. But what are some of the business implications that we’ve seen?
Charles: What I like to tell people is that when you have one computer that’s infected, that’s annoying. When you have 1,000 computers that’s infected, that’s a problem. And ultimately, that’s the issue you run into with lateral movement. Lateral movement takes an initial infection, which may have been one computer or one system that was infected, and could potentially convert it into a significant issue and headache for the organization.
And what the actual business impact is going to be can really vary based on the end payload that’s being dropped down. You know, you have something like WannaCry, where you have large numbers of ransomware being dropped onto a lot of different machines, and suddenly critical business functions are impaired. Or you could have something like crypto miners being dropped on a lot of machines, and then you’re losing a lot of electricity and processing power and burning out boxes that you have to replace.
There’s a lot of different potential business impacts. But the big thing that lateral movement does is it amplifies that impact, it makes it so it’s not just a small impact, but it could be a huge impact for the organization. And that’s really I think where lateral movement causes the most harm to organizations.
Joey: To build upon what Charles has said, from an investigation perspective, it is very difficult to analyze a large number of machines. Just because sometimes when it’s automated, the spread could be really quick, but something that usually is not talked about when discussing enterprise-wide response is that the remediation effort is proportional as well, to the extent of the compromise. You know, such activities such as rebuilding the network, how do you gain trust in a network that’s had thousands of machines compromised handling potential legal risk, and you know, interruption to business operations. These are all substantial consequences to fix after an enterprise-wide compromise.
Pam: So we talked about financial data being targets, as well as maybe intellectual property. Are there other types of data that are typically at risk?
Charles: Threat actors can really target any variety of data. I think some other things that we’ve seen and observing recently include our internal business communications. And this really gets back to something we’ve seen a lot in recent days, which is business email compromise, where threat actors go in, they compromise internal communications, and then they use that to try and convince organizations to give them a lot of money that they shouldn’t otherwise be doing. So that’s been another potential target.
But otherwise, threat actors tend to be targeting sort of the bread and butter of the threat actor domains, which are financial information, credit card information, personally identifiable information that they can use in other fraudulent activities. Things that are easily monetizable tend to be the highest priority targets. But this can change based on the nature of the threat actor. A nation-state threat actor might go after something different than a cybercriminal, then they might go after something different from an activist. It really depends on the motivations of the actor.
Pam: Okay, so we’ve talked a lot about the threats and the repercussions, but what are some things that businesses can do to protect themselves from this type of attack?
Joey: So there’s really three different domains that apply to limiting the success of a threat actor in an environment. And it’s going to come down to strategic, operational and tactical defenses.
For strategic, this is going to come back to the architecture stage, right. How is your network segregated? Are you on a flat network? Do you have different locations on specific subnets? Are you restricting the tools that are included in Windows? For example, we talked about PsExec earlier. Now, this is a common tool that’s used by threat actors. But if this is not a tool that’s used by your system administration team, then the use of this tool anywhere in your environment should definitely send an alert to your security team or your administration team for at least review.
Now, from an operational perspective, we want to make sure that the principle of least privilege is being implemented. A user whose job does not involve logging into or accessing production databases should not have the ability to do that, as well as having stronger password management, and enforcing the use of multi-factor authentication, when it’s possible.
And lastly, from a tactical perspective, we want to make sure we know that we have detective controls in place for activity that’s unexpected. Be it logins, tools being used, remote users logging into the organization from locations where they don’t do so on a regular basis. These are some of the recommendations that we recommend our clients put in place, both as a preventive measure or when they’re dealing with the remediation stage from a large enterprise breach.
Charles: From an operational perspective, when you’re looking at password management, I know Joey mentioned using multi-factor authentication. And I think this is something that organizations really have to do across the board. It’s so critical to ensuring security, it makes so password leaks are not nearly as effective. It reduces the effectiveness of lateral movement for threat actors trying to move around with stolen credentials. Because they could take all your credentials, but if you have MFA, effectively implemented, it’s going to significantly hamper their ability to move around. So I think MFA is one of the easiest, cheapest, most effective ways for an organization to reduce lateral movement across the board.
The other thing I really want to draw attention to is on the strategic side, looking at PowerShell restrictions. I like to think of 2018 as the year of PowerShell. We saw PowerShell being leveraged by threat actors for initial infection, we saw it being leveraged for lateral movement. Pretty much everyone and their brother was using PowerShell for something or another.
And for organizations that don’t use PowerShell as part of their approved scheme for remote administration, as Joey said, the minute you see PowerShell in your organization, it should be firing off flares, saying, “Hey, we got a problem.” And if your organization doesn’t have the capability or the visibility, to be able to say we have PowerShell going on in the organization when we’re not supposed to, that’s an even bigger problem. Because it means that you can’t detect when this is happening. So for an organization, I think those are the two areas I would personally focus on because they’re both very cost efficient, and very effective at reducing lateral movement for a wide range of threat actors.
Pam: So for anyone that may not know what PowerShell specifically means, do you want to touch on that real quick?
Joey: PowerShell is a scripting language that’s been included in Windows by default for a couple of versions. It’s mostly Windows’ response to bash and an upgraded version of the command.exe that everybody has known for the last couple of decades from Windows. It’s very powerful it allows you to remotely administer a large number of machines, as long as you have the appropriate credentials. And you can do a lot of stuff with PowerShell that you weren’t able to do with the old command.xe.
Pam: Okay. Moving into the response to these types of attacks, how are the different roles in an organization best equipped to respond to this kind of activity? Obviously, the security department is involved. But can you talk a little bit about overall, the coordination to respond to this kind of activity?
Joey: Yeah, so a capable incident response team, as you mentioned, should not be only composed of individuals on the security team. Incident response, as a whole, is a team effort that needs to spread across multiple departments in an organization.
For example, from a management perspective, we want to make sure that management has enough buy-in to be able to support incident response activities. So that means having the proper equipment, having exercises where management is present so they know what their roles are in an incident, as well as putting in the substantial controls that need to be placed at a management level, to make sure that the organization has a plan to be able to respond to incidents effectively, as well as having visibility across the organization, to be able to know how to operate as a team.
If you’re able to detect an incident in its early stages, and you have the full attention of the individuals that need to be made aware, it’s much more powerful and easier to have an appropriate response than if this is not something that’s been taking place. So what we don’t want to see is that there is an alert that’s being fired off, and the security team raises it but there’s no attention to it for months or weeks, and you know, the organization’s name comes up on a new source. And this is something that was caught in the security team was doing their job, but because there was no plan in place on how that should be treated, the alert went unresponded to, and it became a huge issue.
Pam: So you both mentioned multi-factor authentication as one way to help stop the spread of lateral movement. Do you think that applies to helping protect users within the organization from the repercussions of this kind of attack?
Charles: So say that I as an individual member of your organization, go out and use my same password for my business account. And then I also register for a Pandora account. And then my Pandora password’s leaked, and then subsequently, they try to break into the organization.
They won’t be effective with multi-factor authentication, which reduces the burden on me as an individual user and replaces that burden with a strategic level policy for the organization. Any time you can take away responsibility from the individual and put it up to the strategic level, you’re going to see a better return on investment and a more effective type of security posture.
And so from a lateral movement perspective, if the exact same thing is true. If I can make it so that if one user is compromised, then they won’t be able to break out and get to other users as easily. Because I have this MFA policy in place that will reduce the overall impact on the organization. And it will be much more efficient, rather than just relying on you know, this one guy, Charles to do exactly what he’s supposed to all the time, and just hoping that it all works out.
Pam: So how else can organizations protect users from the consequences then?
Charles: For an organization, I think the first step I would do when you’re trying to figure out how we can best protect against lateral movement, any sort of process has to start with asking what are the things we want to protect? What assets are most important to us? So we can ensure that those are put in the right places and protected against lateral movement most effectively. Then we need to start asking how can we break down our network so that we minimize business impact, and minimize data loss if there was an attack and lateral movement was achieved.
Once we’ve done those sorts of activities, I think we’ve done a really good job of reducing the impact of lateral movement overall. One other potential way that organizations can figure out how to protect themselves against lateral movement is through effective penetration testing. And that’s something where doing effective pen testing can help you figure out where there might be gaps or holes in your network segmentation so that you can repair those holes before they become an issue with threat actors.
Pam: So when it comes to protecting against lateral movement, and attacks, how do you see organizations changing how they’re addressing this in the next six months to maybe a year?
Joey: I think that as more breaches come to light, and more research is being done in the area, and blogs are being posted. And companies are doing, you know, proactive exercise, such as pen testing, or conducting tabletop exercises. And, you know, at a management level, people were being made aware of some of the threats out there of how one machine being compromised could lead to thousands of machines being compromised. It’s going to change the response as a whole from organizations to be able to either invest more time or find solutions that will increase the visibility into their environments.
Charles: I think the other thing that we’re going to be seeing is increased use of threat intelligence, to determine how are threat actors attempting to move laterally? What techniques are they using? And what sort of services are being offered on underground forums, underground marketplaces, that threat actors might be leveraging, so we can protect ourselves against those proactively.
The idea here being, if I’m using my threat intelligence effectively, it should also be telling me what tactics, techniques, and procedures threat actors are using so that I can implement defenses accordingly. So I like to hope that we see in organizations using this threat intelligence more effectively in the future, to protect against lateral movement as well.
Pam: Great. So before we close, any final words of advice, or insights that you want to share with the listeners?
Joey: Know what’s running. I’ll say the biggest lesson that we hope to pass along from this podcast is take a look in your environment, know what’s going on. Log in to a random machine on your network that you have access to if you’re on the security team. If you’re not on the security team, and you’re in management, ask your security team, “Hey, or do we have any of these tools running in our environment? Should it be there? Are we reviewing access of those tools?”
Charles: I think my parting thought overall is that for a long time in cybersecurity industry, we blamed the user. We said, “We can’t believe, this guy clicked on that email. I can’t believe that this guy went to that website.” And we keep blaming the end user for the fault here.
But at the end of the day, the breaches that we’re seeing cost the most money, the instances that we’re seeing, causing the most havoc, and causing the most harm to organizations – the harm isn’t coming from the guy who clicked on one email, the harm is coming from the fact that the guy clicked on email, and then it spread to 1,000 more machines and caused critical damage.
And I think we have to stop blaming the user and stop blaming the victim at the end of the day and start saying how can we approach this from a strategic and organizational standpoint, to better protect ourselves. And the very first step here is by preventing lateral movement. If the organization can make it so that every infection is limited to just a few machines, then you’re never going to have a major issue, or you’re very rarely going have a major issue that it’s going cause critical business stoppage or critical harm to the organization.
Pam: I really like the sentiment that it may not necessarily be the user’s fault. We put a lot of emphasis on user education, and user education in cybersecurity. It is honestly the worst thing to try and get people to do. And it’s not just getting them to do it, but practically apply it and get it right 100 percent of the time. Because we’ve had heard people say many times, cyber security professionals have to get it right every time attackers only have to get it right once.
And you really see that when it comes to this whole idea that user training may not be the thing that solves everything certainly you don’t want to just not have it. But when you take a look at corporate structure and the IT network, and how that’s all connected together, and some of the points that they made about, well, how could you even segment your network and we draw that out. And so I really like that sentiment that yes, there is more work to be done by IT groups in order to set things up. So a user failure isn’t the worst thing that’s going to happen.
David: Right, I don’t think we can always count on humans to get it right 100 percent of the time. But we can engineer things and structure things in such a way that we’ve compartmentalized and made it very difficult to make mistakes, make it difficult to exploit things. And then build in those risk medications is layers, anticipating an error rate, anticipating that you’re going to have mistakes occur.
Pam: So David, do you have any good news for us this week?
David: Yeah, Pam, there’s a really interesting piece of news that came out. The GozNym gang, the criminal gang, was shut down. Law enforcement working across country — so different groups, international law enforcement — were able to arrest 10 different defendants in five different countries. You know, this is a group that was seeking to steal up to $100 million from folks. And you know, it’s great to see a payoff like this, something that’s public, something that’s really tangible, stops a group like that in their tracks.
And then I think the icing on the cake is that our X-Force team, you know, had a little hand in naming and seeing that gang’s pattern and passing that along to our counterparts in law enforcement. So sometimes it’s hard to describe what we do in our business. And it’s nice to be able to point to something like this, where it all works. You’ve got somebody that wants to take advantage of lots of different victims, and you’re able to put a stop to that.
Pam: And I think it’s really great to see the partnership between the business world and political, and you know, state organizations because that’s what’s needed when, as you said, it’s five different countries. So a lot of different coordination needed to happen to make that success in taking down the network. And I just love it when we see those success stories where business is able to partner with government and make things happen.
And that is it for this episode. So thanks to Charles DeBeck and Joey Victorino for joining us as guests.
David: Listen to this podcast on SoundCloud or wherever you get your podcasts. And for more security stories, visit SecurityIntelligence.com. A big thanks to our producers, Megan and Ted, and most of all, thanks for listening.