Category: Linux

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

1. Malware and Virus Detection – Install and properly configure an anti-malware and anti-virus solution on every endpoint. This offers, as a minimum, basic protection from known malware signatures, and probably offers advanced heuristic protection algorithms to detect behavior to indicate malicious activity even on zero-day attack attempts. The Microsoft Defender endpoint protection features in Windows 10 is a good example of this type of software that is highly rated and very effective.
2. Standard User Accounts – Since users are usually the ones that allow the initial compromise through drive-by downloads or clicking on a phishing email, you must limit the power of the malware by limiting the power of the user. Require all users to login with a standard standard user account and don’t make them a local administrator on any computer. Even administrators should log into their computer with a standard account as a normal practice. They should only log into systems with administrative rights when they need to actually perform administrative tasks.
3. Enforce Least Privilege – Only allow users access to systems if they have a business need to that resource. Only allow the minimum privileges to allow the user to do exactly what they need to do, nothing more. This helps prevent malware from using the users permissions to gain unauthorized access to sensitive data.
4. Multifactor Authentication – Implement multi-factor authentication for access to internal and external systems, all applications, and  even social media. This basically requires the user to approve access through an mobile application or SMS message before their computer password is accepted. This means that even if a user’s password is stolen or guessed by an attacker, they can’t access the resource without the user’s cellphone.
5. Conditional Access Controls – Restricting access based on static elements like location, operating system, or even time of day is a basic control that limits account login, even with approved credentials, to enforce compliance dynamically. Microsoft O365 and Azure offers a wide range of conditional access features based on location, operating systems, user risk, etc. to add security options for greater account protections.
6. Strong Password Management – Require strong passwords that are different for every account. Never allow users to reuse passwords and encourage users to use password managers so they have strong password hygiene. Block common unsafe passwords (i.e. password1, qwerty123, etc.) and configure systems to log password failure attempts. Configure systems and devices to change or eliminate default passwords and  require every system to have a unique passwords across all privileged accounts. Never store passwords inside a script. Implement SSH key management tools.
7. Patch Management – Configure systems and devices to automatically download and install vendor patches as soon as they become available. If the system needs to be tested before any patch is applied, do the testing as soon as possible to target installing all vendor patches within 30 days. Less vulnerabilities mean it is harder for an attacker to get into a system through a software security weakness.
8. Network Segmentation – Group assets (users, application servers, etc.) into logical units that do not trust each other. Segmenting your network reduces the “line of sight” access attackers must have into your internal systems. For access that needs to cross trust zones, require a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring. If malware can’t access systems, it severely limits an attackers ability to jump from one system to the next. Where possible, go beyond standard network segmentation to segment based on context of the user, role, application and data being requested.
9. Implement Threat Behavior Monitoring – Implement base security event monitoring and log events that will help you later understand what systems were compromised. Using  advanced threat detection (including user behavior monitoring) you can quickly detect compromised account activity as well as symptoms of insider privilege misuse.
10. Application Whitelisting – If possible, implement policies to only allow known good applications to execute while you block and log all other applications launch attempts. Windows 10 allows you to implement this functionality using AppLocker. As a minimum you can pre-install the software required by a user and block them from installing any new software.

While backups will not help prevent a successful lateral movement attack, if your files are compromised by an attack your only remediation may be to restore/replace the missing or encrypted files from a recent backup. Don’t forget to include offline backups in your security efforts as a safely net when all preventative measures fail.

While none of these steps will prevent a successful attack on their own, a combination of tactics can truly limit the ability of a successful attack from doing severe damage to your business.  By limiting the scope of an attack you can reduce the cost of recovery, limit the scope/quantity of lost or damaged files, prevent a compromise of critical business intelligence, and build confidence in your ability to protect critical business assets.