Just a few short years ago, lateral movement was a tactic confined to top APT cybercrime organizations and nation-state operators. Today, however, it has become a commoditized tool, well within the skillset of any ransomware threat actor. This makes real-time detection and prevention of lateral movement a necessity to organizations of all sizes and across all industries. But the disturbing truth is that there is actually no tool in the current security stack that can provide this real-time protection, creating what is arguably the most critical security weakness in an organization's security architecture.
In this article, we'll walk through the most essentials questions around the challenge of lateral movement protection, understand why multifactor authentication (MFA) and service account protection are the gaps that make it possible, and learn how Silverfort's platform turns the tables on attackers and makes lateral movement protection finally within reach.
Upcoming Webinar: If you're interested in learning more about lateral movement and how to prevent it in real-time, we invite you to sign up for our upcoming webinar. Industry experts will share valuable insights on the subject and answer any questions you may have.
Ready? Let's begin.
Why is lateral movement a critical risk to an organization?
Lateral movement is the stage where a compromise of a single endpoint becomes the compromise of additional workstations and servers in the targeted environment. It's the difference between a single encrypted machine and a potential operational shutdown. Lateral movement is used in over 80% of ransomware attacks, making it a risk to every organization in the world willing to pay to redeem its data from attackers.
So how does lateral movement actually work?
It's actually quite simple. Unlike malware, which comes in many different forms, the process of lateral movement is straightforward. In an organizational environment, every user that is logged in to a workstation or a server can access additional machines within that environment by opening a command-line prompt and typing a connection command, along with their username and password. This means that all an adversary has to do to move laterally is to get their hands on a valid username and password. Once obtained, the attacker can then use these compromised credentials to access resources just as if they were a legitimate user.
It sounds simple, so why is it hard to prevent?
As surprising as it sounds, there is actually no tool in the identity or security stack that can detect and prevent lateral movement in real-time. This is because what's required is the ability to intercept the authentication itself, where the attacker provides the compromised credentials to Active Directory (AD). Unfortunately, AD – as essentially a legacy piece of software – is capable of only a single security check: whether the username and password match. If they do, access is granted; if not, access is denied. AD does not have the ability to differentiate between a legitimate authentication and a malicious one, only the ability to validate the credentials provided.
But shouldn't MFA be able to solve this?
In theory. But here's the problem: Remember the command-line window mentioned previously about how lateral movement is executed? Guess what. Command-line access is based on two authentication protocols (NTLM and Kerberos) that don't actually support MFA. These protocols were written way before MFA even existed. And by "don't support," what we mean here is that you can't add to the authentication process an additional stage that says, "these credentials are valid but let's wait until the user verifies their identity." It is this lack of MFA protection in the AD environment – a key blind spot – that enables lateral movement attacks to keep happening.
At this point, you might wonder why in 2023 we're still using technology from over 20 years ago that doesn't support a basic security measure like MFA. You're right to ask this question, but at the moment, what's more important is the fact that this is the reality in close to 100% of environments – yours included. That's why it's critical to understand these security implications.
Creating easily implemented MFA policies for all your privileged accounts is the only way to ensure they are not compromised. With no need for customizations or network segmentation dependencies, you can be up and running within minutes with Silverfort. Discover how to protect your privileged accounts from compromise quickly and seamlessly with adaptive access policies that enforce MFA protection on all on-prem and cloud resources today.
Let's not forget service accounts – invisible, highly privileged, and nearly impossible to protect
To add another dimension to the lateral movement protection challenge, keep in mind that not all accounts are created equal. Some of them are materially more susceptible to attack than others. Service accounts, used for machine-to-machine access, are a prime example. These accounts are not associated with any human user, so as a result they are less monitored and sometimes even forgotten about by the IT team. But they usually have high access privileges and can access most machines in the environment. This makes them an attractive compromise target for threat actors, who use them whenever they can. This lack of visibility and protection of service accounts is the second blind spot on which lateral movement actors rely.
Silverfort makes real-time protection against lateral movement possible
Silverfort pioneers the first Unified Identity Protection platform that can extend MFA to any resource, regardless of whether it natively supports MFA or not. Utilizing an agentless and proxyless technology, Silverfort integrates directly with AD. With this integration, whenever AD gets an access request, it forwards it to Silverfort. Silverfort then analyzes the access request and, if needed, challenges the user with MFA. Based on the user's response, Silverfort determines whether to trust the user or not, and passes the verdict to AD which then grants or denies access as necessary.
Preventing lateral movement at the root #1: Extending MFA to command-line access
Silverfort can apply MFA protection to any command-line access tool – PsExec, Remote PowerShell, WMI, and any other. With an MFA policy enabled, if an attacker attempts to perform lateral movement via command line, Silverfort would push an MFA prompt to the actual user, asking them to verify whether they had initiated that access attempt. When the user denies this, access would be blocked — leaving the attacker confused as to why a method that has worked flawlessly in the past has now hit a brick wall.
Preventing lateral movement at the root #2: Automated visibility and protection of service accounts
While service accounts can't be subjected to MFA protection – as non-human users, they can't confirm their identity with a cell phone notification – they can still be protected. This is because service accounts (unlike human users) display highly repetitive and predictable behavior. Silverfort leverages this by automating the creation of policies for every service account. When activated, they can send an alert or block service account access altogether whenever a deviation standard activity is detected. The malicious use of a compromised service account inevitably creates a deviation because even if the attacker has the service account's credentials, they would not know the account's standard use. The result would be that any attempt to use a compromised service account for lateral movement would be stopped cold.
Do you see lateral movement as a risk you need to address? Schedule a call with one of our experts.