Lateral Movement by Default

Lateral Movement By DefaultRandy Watkins

2© 2015 Critical Start LLC.

Critical Start is a Threat Management company with the goal to measurably improve the security effectiveness of our customers. We developed a security framework to evaluate the status of your security controls and assess your current environment. The core inputs of our methodology are:

Critical Start: Who We Are

Attack Phase Maturity Following a kill chain methodology understanding the ability to detect initial compromise, lateral movement, breach detection and response

Security EfficiencyControl effectiveness, impact to user experience, upfront costs, and ongoing costs. Security Efficiency is used to prioritize how to address attack phase maturity gaps

Critical Assets and DataWhat is the likelihood outside attackers would specifically target your organization? Critical assets and data is viewed from point of view of 3rd party value versus business impact.

Impact of Compliance What compliance and regulatory requirements are driving security practices within your company?

3© 2015 Critical Start LLC. All Rights Reserved

Agenda

Define Lateral MovementHow It’s Done

Methods of Lateral Movement

Recommendations for Limiting Effectiveness

Can it be Prevented?

We are currently not planning on conquering the world.

– Sergey Brin

What is Lateral Movement?


Using an Initial point of compromise to migrate to other network assets

What is gained with Lateral Movement?– Establish Persistence– Identify Critical Assets– Find Sensitive Data

Lateral Movement expands attack footprint, and increases Incident Response Efforts, including identifying potential exfiltration.

What is Lateral Movement?


• Initial compromise can use:– Malware – Easier to detect and prevent– Legitimate Credentials – Go after the user

A (mostly) Hidden Threat


• Initial compromise can use:– Malware – Easier to detect and prevent– Legitimate Credentials – Go after the user

• Attackers Point of View:– Any user account or machine is valuable to an attacker– Legitimate credentials are less alarming than callbacks– Once an attacker finds their way in…

A (mostly) Hidden Threat



• SSC Syndrome – Soft Squishy Center– Most security budget is spent protecting the perimeter– Little security measures preventing spread– Very difficult to weed out false positives to identify lateral

movement– Most Windows machines, Networks, and Active Directory are built

for convenience, including lateral movement.

SSC Syndrome


– Sergey Brin

Methods Of Lateral Movement


• Attacker installs or gets user to install back door– Phishing Email– Drive by Download

• Computer communicates to C2 server/opens a direct shell to attacker

• Attacker accesses computer

Malware Back Door


• Attacker Compromised Legitimate Credentials– Spear Phishing– Brute Force– Malware

• Attacker Logs into machine via VPN

• Attacker Does recon to find additional machines

Legitimate Credentials with VPN


• Attacker Accesses Compromised Machine– Malware– Legitimate Credentials

• Attacker captures cached credentials

• Attacker replays captured hashes to authenticate

• Attacker continues recon to continue spread through network

Pass the Hash


• Multiple tools will pull Credential in Clear Text– Mimikatz– Windows Credential Editor

Forget the Hash. Plaintext FTW!


• Malware is Dropped and Credentials are Harvested

• Cycle is repeated to continue exfiltration and attack footprint

• Incident detection turn into incident containment and response

Rinse Lather Repeat


– Sergey Brin

Preventing/Restricting Lateral Movement


Start at the source– Malware

• Use Anti-Virus or Next-Gen Endpoint product to prevent initial infection• Employ Network Based Detection to find things Endpoint Agents may not

pick up– Legitimate Credentials

• Employ SPAM and Spear Phish filtering• Enforce Strong Passwords• User Education

– Staged Phishing Campaigns– Security Bulletins/New letters

Prevention


• Have Unique Passwords for Local Admin Accounts– Microsoft LAPS is a free tool for

managing these• Deny Network Logon for

Local Accounts• Remove User accounts from

Local Administrators Group

Control Local Accounts


• Log Events from Privileged Accounts

• Do not give Privileged Accounts Email boxes

• Do not nest Active Directory Groups into privileged groups

• Enforce Strong Passwords

Control Network Accounts


• Require Privileged Accounts and VPN users to use 2 Factor Authentication

• Enforce Device Certificate Authentication

• Log all VPN connections and correlate suspicious logins

• Reduce or Remove Default Cached Credential Value

Control Remote Access


• Use Jump Hosts for Administrative Access• Segment Guest/User/Server/Critical Asset Networks

– Leverage User Segmentation where possible

Control the Network


• Microsoft Pass The Hash (PTH) Mitigation Paper– http://www.microsoft.com/en-us/download/details.aspx?id=36036

• Microsoft LAPS Technet Security Advisory– https://technet.microsoft.com/library/security/3062591

• Channel 9 Videos– https://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Securi

ty-Briefings-Fall-2012-Sessions/BH1208

– https://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B210#fbid=

Additional Resources

http://www.microsoft.com/en-us/download/details.aspx?id=36036

http://www.microsoft.com/en-us/download/details.aspx?id=36036

https://technet.microsoft.com/library/security/3062591

https://technet.microsoft.com/library/security/3062591

https://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1208



https://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B210%23fbid

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B210%23fbid

Critical Start LLC6860 North Dallas Pkwy, St 200Plano, Texas 75024 Phone: [email protected]

Learn more about creating your own Defendable Network at: http://www.criticalstart.com/the-defendable-network-2/

Lateral Movement by Default

Technology