In the first article, we looked at how attackers are commonly exploiting networks to exfiltrate, modify data, or carry out denial of service (DoS) attacks. A range of defensive measures were then identified which can be effective in preventing the vast majority of attacks.
However, it is simply not realistic to assume that all possible attacks can be prevented. Eventually an attack may succeed simply because of human error, device misconfiguration, or perhaps as a result of a new and previously unseen exploit of software for which there is no patch available (the zero-day exploit).
Therefore, it is reasonable to assume that at some point in time a remote attacker will gain a presence in your network. In this article we will look at measures which can be implemented to prevent an attacker’s ability to move laterally and compromise more systems.
When attackers gain an initial foothold on one system inside a compromised network, they need to work to expand his influence. This will typically involve gaining credentials and privileges which will enable him to move to other systems.
As an attack progresses, more systems are compromised and more credentials are gained along the way. Eventually the attacker will gain access to a high value, high privilege account and the victim network is now effectively ‘owned’ by the attacker.
So, what factors will hinder the progress of an attacker on his way to becoming domain admin and stealing all of the corporate secrets?
Check your privilege
The first thing to consider is the privilege level of the attacker when the first system is compromised. If the attacker has landed on a system with a user account running with a high level of privilege then it will be a simple matter for the attacker to use the credentials of that user to make connections to other systems.
For this reason, it is highly advisable to configure all users to run with the minimum level of privilege required to perform their job – and no more. A typical attacker will want to run a tool such as Mimikatz or Gsecdump in order to steal credentials or dump hashes out of memory. This will not be possible while running in a restricted user account, so the attacker will now require a privilege-escalation attack on the compromised host, which gives defenders another chance to notice the attack occurring.
Another important factor is the design of the network itself. An attacker can only compromise those systems which he is able to communicate with over the network, so network segmentation will be a big factor in preventing lateral movement.
The most effective way to achieve this is through the use of routing and switching, which implements VLANs to segregate groups of systems logically, and with appropriate firewall rules or access control lists to filter traffic flows between those systems.
An important factor to realise is that attackers will use whatever tools are available to them to achieve their objective. If they discover network enumeration tools, port scanners or password cracking utilities on a system then they will likely use them against you.
[Please turn to page two to read about software restriction policies, multi-factor authentication, and the importance of actually examining log files]