Preventing Lateral Movement

Implementing effective security measures can help delay and detect lateral movement attempts within your organization.

1. Safeguard Credentials

All credentials on a network, particularly those associated with administrator accounts, must be thoroughly protected to prevent unauthorized access to systems and devices.

A prevalent attack method involves stealing a security token to access another device or server. An example is the technique known as ‘Pass the hash’, where an attacker uses a stolen hash to authenticate. To avoid this, passwords should never be stored in plain text, and password hashes must be adequately protected to deter access by attackers.

All credentials required to authenticate to devices and services need robust protection. Utilizing devices that offer hardware-backed credential storage can significantly enhance the security of these credentials. Moreover, work-related credentials should only be entered into approved work devices, ensuring they are adequately secured.

Summary:

• Do not store passwords in plain text; ensure password hashes are kept in secure areas.
• Utilize devices equipped with hardware-backed credential storage whenever possible.
• Only input work credentials on authorized work devices and services.

2. Implement Strong Authentication Practices

Authentication should balance ease of use for the user while creating barriers for potential attackers. Adhere to the NCSC password guidelines to align your policy with best practices. For instance, refrain from reusing passwords across different systems and consider adopting password managers within your organization to minimize the risk of storing plaintext credentials.

Implementing logon restrictions, such as account lockout and throttling, can reduce the likelihood of an attacker successfully logging in without prior credential acquisition. Ensure that no single account grants widespread access throughout the enterprise, particularly if those accounts hold privileged permissions.

For internet-facing services, multi-factor authentication (MFA) is essential to prevent brute force and password guessing attacks. MFA can also function as a separate factor on high-privilege devices, rendering them less vulnerable to remote malware use.

Single sign-on (SSO) can simplify password management, decreasing the likelihood of password theft. Explore alternative technical authentication methods such as biometrics, single-use sign-in links (magic links), smartcards, and hardware-backed PINs.

Summary:

• Abide by the NCSC password guidelines, and avoid reusing passwords across systems.
• Evaluate the use of password managers within your organization.
• Enable logon restrictions and throttling measures.
• Employ multi-factor authentication for high-risk accounts and internet-facing services.
• Where possible, consider alternatives to passwords for authentication.

3. Secure High Privilege Accounts

Local and domain administrative accounts, which have access to critical systems and data, represent powerful assets within a network and must be managed with extreme caution.

Administrators should maintain distinct accounts: one for everyday activities (like browsing and email) and a separate privileged account for administrative tasks, which should only be used on designated admin devices. This practice mitigates the risk of using an infected device for administrative functions.

Administrator accounts should avoid engaging in web browsing or accessing emails, and should only be utilized when elevated permissions are explicitly required.

Summary:

• Utilize a standard account for daily tasks and a distinct administrator account solely for administrative duties.
• If possible, utilize separate devices for standard and administrative accounts; if not, consider the ‘browse down’ approach as outlined in our guidance.
• Restrict administrator accounts from conducting high-risk activities such as browsing the web or accessing email.

4. Follow the Principle of Least Privilege

The ‘least privilege’ principle dictates that user accounts should only possess the minimum privileges necessary to fulfill their roles. Implementing a tiered model for administrative accounts ensures that they only have the specific permissions required, minimizing the potential access for attackers should a lower-privilege account be compromised.

Accounts with extensive privileges such as domain admin or global admin should not be routinely employed. While necessary for certain tasks (like network setup or disaster recovery), lower-tier accounts should handle day-to-day functions.

Utilizing time-limited privileged access can diminish the ramifications of a compromised admin credential, as it will be tracked and audited whenever the user requests it. Recognizing high-risk devices, services, and users is vital when planning access privileges, ensuring that individuals with elevated risk levels receive limited privileges.

Summary:

• Implement a tiered administrative model to restrict unnecessary access and privileges.
• Reserve full privilege accounts for absolutely essential tasks only.
• Consider time-based privileges for added restrictions.
• Identify high-risk devices, services, and users to minimize their access levels.

5. Secure Your Devices

Any device connected to your network—regardless of direct internet access—can be a target during the lateral movement phase of an attack. It is essential to ensure that all devices are regularly updated with the latest patches. Employing automated updates can ease this task; however, ensure that redundant devices are updated sequentially to maintain availability.

Endpoints should be configured securely following the NCSC mobile device guidance. Whenever feasible, allow-list applications so that only verified programs can operate. This can also involve utilizing an architecture that permits installation and execution of applications only from trusted sources.

In addition to boundary firewalls, enabling local firewalls on each host is critical to restrict unnecessary inbound and outbound traffic. Firewalls should default to blocking all inbound connections and only permit those specifically required. Regular audits of the approved connections list can help eliminate obsolete entries.

If available, enable secure boot mechanisms to assure the integrity of the boot process and pose a higher obstacle for attackers attempting to establish persistence on a device.

Finally, adhere to our Macro Security guidance to mitigate risks associated with malicious macros.

Summary:

• Apply patches promptly to all devices and utilize automated updates when practical.
• Implement application allow-listing to control application usage.
• Follow our Macro Security guidance.
• Enable local firewalls on devices.
• Utilize secure boot mechanisms where feasible.
• Adhere to the NCSC mobile device guidance.

6. Implement Network Segmentation

Network segmentation refers to dividing a network into various segments. This approach greatly complicates an attacker’s efforts to achieve their objective once they penetrate the network, as the initial point of access may not allow connection to critical data or systems.

Systems and data that do not require interaction should be allocated to separate network segments, permitting user access only as necessary. According to our guidelines on network security, “Segregate networks as sets: identify, group, and isolate critical business systems and apply suitable network security controls.”

Security controls should guarantee that all data and connections originating from within the network boundary are not treated as automatically trusted. The ISO 27001 and 27002 standards offer valuable insights into best practices for implementing network segmentation.

Summary:

• Segregate networks into sets by identifying, grouping, and isolating vital business systems while applying relevant network security controls.

7. Monitor Network Activity

Vigilant monitoring of your network for any security incidents is crucial. As new vulnerabilities are continuously emerging, persistent attackers may eventually gain access despite your protective measures. Effective monitoring is the only method to identify a breach and take action once it occurs. Our Network Monitoring section from the ’10 Steps to Cyber Security’ serves as a useful starting point, along with our Security Operations Centre (SOC) buyers guide, which provides more detailed insights on effective monitoring practices.

The foundation of monitoring involves recording and archiving logs of potential security events. Systems can analyze these logs to identify suspicious activities that may indicate a security breach and alert the appropriate personnel. Activation of logging and security auditing features in your network’s systems (including firewalls and architecture) as well as operating systems is essential.

Understanding the locations of high-value assets within a network allows for enhanced alerting. High-value assets may include crucial services and servers (such as a domain controller) as well as certain users or accounts. Noteworthy users include:

• Privileged users (due to their access capabilities)
• Directorate accounts (because of the sensitive information they may contain)
• Social media accounts (due to the potential for reputational harm if compromised)

It is important to grasp the overall structure and usage of your network. Maintaining a current audit of all devices able to connect to the network will assist in identifying unauthorized usage. Unusual behaviors can manifest on both the network protocol layer and within application-specific contexts, such as credential usage or authentication events.

Attackers often blend in with regular traffic using legitimate tools and systems during lateral movement, making it hard for conventional antivirus software to detect them. Being aware of the common tools and processes attackers might utilize will considerably enhance your chances of spotting their activities.

The primary challenge in network monitoring is recognizing genuine security incidents amid frequent false positives, which are prevalent in the extensive volume of background ‘noise’ within a network. Familiarity with your network and its typical usage patterns can help reduce the incidence of false alarms, improving your ability to identify atypical activities. By segmenting the network, you can hone monitoring focus on areas of traffic flow generated between segments.

Summary:

• Follow our network monitoring and SOC buyers guide publications.
• Activate logging and auditing features within your systems to identify abnormal activities.
• Keep an updated record of all devices with network access, while understanding your high-value assets.
• Comprehend and familiarize yourself with your network and its normal operational behavior.

8. Explore the Use of Honeypots

Honeypots are systems intentionally designed to be targeted by attackers.

Production honeypots, which serve as decoys for genuine systems within a network, can be instrumental in identifying security breaches. Because honeypots do not serve legitimate purposes (and contain no actual data), unexpected connections can be flagged as hostile activities because authentic users have no reason to access them. If any interactions with the honeypot are detected, an immediate investigation is warranted. These production honeypots should be utilized in conjunction with network monitoring and other intrusion detection methodologies.

Research honeypots, while not beneficial for the network directly, are established to gather insights on attackers’ latest techniques.

The implementation of honeypots carries certain risks. Research honeypots inherently encourage attacker interaction, while production honeypots might introduce risks depending on their complexity. For instance, they could be compromised and used as an attack platform against legitimate network systems during lateral movement.

Thus, honeypots should only be considered if potential implementation impacts have been assessed, and there is adequate expertise within your organization to manage them effectively.

Summary:

• Evaluate the implementation of a production honeypot within your organization, ensuring you possess the necessary expertise and understanding of associated risks.