Preventing Lateral Movement

Implementing the following protective measures will provide a buffer of time and enhance the ability to identify attempts at lateral movement within your network.

1. Safeguard Credentials

It is essential to secure all credentials on a network, particularly those associated with administrator accounts, to prevent unauthorized access to devices and systems.

A prevalent attack strategy involves the theft of security tokens to gain entry to other devices or servers. For example, the technique known as ‘Pass the hash’ utilizes a stolen hash for authentication purposes. Passwords must never be stored in plain text either by users or systems, and password hashes should be adequately protected to deter unauthorized access.

Credentials employed for device authentication, as well as those for service authentication, must be sufficiently shielded by the device. Devices that feature hardware-backed credential storage offer superior protection for these credentials. Work-related credentials should not be used on non-approved devices, as these devices may lack appropriate safeguarding measures for the credentials.

In summary:

• Do not store passwords in plain text; ensure that password hashes are safeguarded.
• Wherever possible, use devices with hardware-backed credential storage.
• Utilize work credentials exclusively on devices and services designated for work use.

2. Implement Strong Authentication Practices

Authentication processes should prioritize user ease while complicating access for potential attackers. Adhere to the NCSC password guidance to align your policy with best practices. It is crucial to avoid reusing passwords across different systems and to consider the incorporation of password managers within your organization; this limits the likelihood of users storing credentials in plain text.

Implementing logon restrictions, such as password lockout and throttling, mitigates the chances of attackers succeeding in authenticating to a host without prior acquisition of the credentials. Ensure no single account has access to all devices and components across the enterprise, particularly for privileged accounts.

Multi-factor authentication (MFA) must be instituted for internet-facing services to counter brute force and password guessing attacks. MFA can also serve as a physically separate factor on high-privilege devices, preventing malware from exploiting it remotely.

Single sign-on (SSO) helps decrease the number of passwords in circulation, thereby reducing the opportunity for theft. Further, it is advisable to explore alternative authentication methods, such as biometrics, single-use sign-in links (magic links), smart cards, and hardware-backed PINs.

In summary:

• Comply with the NCSC password guidance and avoid password reuse across systems.
• Implement password managers within your organization.
• Establish logon restrictions/throttling.
• Utilize multi-factor authentication for internet-facing services and high-risk accounts.
• Whenever possible, apply alternative authentication methods beyond passwords. 

3. Secure High Privilege Accounts

Local and domain administrative accounts, which have access to a majority of systems and data, are powerful assets within a network and must be strictly controlled.

Administrators ought to operate with distinct accounts; one for everyday business tasks (like web browsing and managing email) and a privileged administrator account intended for use solely on designated admin devices. This strategy minimizes the risk of compromised devices being used for admin functions.

Administrator accounts should refrain from web browsing and accessing email, only being employed when elevated permissions are necessary.

In summary:

• Administrators should operate under a regular account for routine activities and a separate one exclusively for administrative tasks.
• Utilize distinct devices for standard accounts and administrator accounts when feasible. If not, consider employing a ‘browse down’ methodology.
• Restrict administrator accounts to prevent high-risk actions, such as web browsing and email access.

4. Enforce the Principle of Least Privilege

Implementing a ‘least privilege’ principle—where accounts and users have the minimum access necessary to perform their roles—is critical. A tiered model for administrative accounts ensures that users are granted only the administrative capacities they require rather than blanket access. This limitation on high-privilege accounts reduces the risk for attackers should they compromise a lower privilege administrator account.

Accounts with full privileges across an enterprise (like domain admin or global admin accounts) should not be employed on a regular basis. While these accounts are necessary for specific tasks (initial network configurations, system upgrades, creation of privileged accounts, or disaster recovery), lower-tier administrative accounts should be designated for most operations.

The use of time-limited privileged access can further mitigate the fallout from leaked admin credentials, as the user must audit their requests for access each time. Identifying high-risk devices, services, and users can inform privilege assignments, ensuring that those posing the highest risks maintain the lowest privileges.

In summary:

• Employ a tiered model for administrative accounts to eliminate unnecessary access and privileges.
• Restrict the use of full privilege accounts to strictly essential circumstances.
• Consider implementing time-based privileges to impose further restrictions.
• Identify high-risk devices, services, and users to minimize their access.

5. Secure Devices

Every device or system integrated into your network (even those without direct internet connections) may become a target during the lateral movement phase of an attack. It is crucial to keep all devices updated, applying the latest patches as quickly as possible. Automated updates can facilitate this process, though it’s essential to ensure that redundant device pairs update at different times to maintain operational continuity.

Endpoints should be securely configured according to the NCSC mobile device guidance. Applications should ideally be allow-listed, permitting only approved applications to operate, which can be achieved through an architecture that restricts installations to those from trusted sources.

In addition to firewalls at the network perimeter, it is advisable to enable local firewalls on hosts to limit unnecessary inbound and outbound traffic. By default, firewalls should block all inbound connections (like SMB) and permit only those that are essential. Regular reviews of the approved connection list should be conducted to remove any that are no longer required.

Whenever feasible, enable secure boot mechanisms to affirm the integrity of the device boot process, complicating an attacker’s ability to establish persistence. Finally, adhere to the Macro Security guidance to mitigate risks associated with malicious macros.

In summary:

• Apply patches to all devices promptly upon release, with automated updates where feasible.
• Implement allow-listing to control and limit application usage.
• Follow the Macro Security guidance.
• Activate local firewalls on hosts.
• Employ secure boot mechanisms where available.
• Adhere to the NCSC mobile device guidance.

6. Segregate Network Assets

Network segmentation (or segregation) entails partitioning a network into various segments, significantly complicating access for attackers once they penetrate the network, as their entry point may lack connectivity to the target data or system.

Systems and data that do not necessitate interaction with each other should be isolated within different segments, with user access granted only as necessary. As outlined in our guidance on network security, “Segregate networks as sets: identify, group, and isolate essential business systems while applying appropriate network security controls.”

These security controls must ensure that all data and connections originating from within the network boundary are not automatically considered trustworthy. The ISO 27001 and 27002 standards offer insight into best practices for effective network segmentation.

In summary:

• Segregate networks as sets: identify, group, and isolate critical business systems, applying suitable network security controls to them.

7. Monitor Network Activity

Monitoring your network for any significant security events is crucial. Continuous discovery of new vulnerabilities means that determined attackers can eventually breach your network, regardless of the protections in place. Monitoring is the key to identifying a breach and responding effectively. The Network Monitoring section of our ’10 Steps to Cyber Security’ provides a solid foundation, while our Security Operations Centre (SOC) Buyers Guide offers additional insights into the monitoring process and what to monitor.

Monitoring is predicated on the collection and storage of logs associated with noteworthy security events. Systems can analyze these logs for suspicious activity that might signify a network compromise, triggering alerts for the relevant personnel. Enable logging and security auditing features in your systems and technologies (including firewalls and other network architecture) and ensure OS-level logging is utilized.

Understanding the location of high-value assets within a network facilitates more nuanced and sensitive alerting. High-value assets include crucial services and servers (like domain controllers), as well as specific users and accounts. Notable users include:

• privileged users (due to the access they possess)
• directorate accounts (as they may contain sensitive information)
• social media accounts (given the potential for reputational damage if compromised)

Familiarity with your network as a whole, including its structure and usage, is vital. Maintain a comprehensive audit of all devices capable of connecting to the network and regularly update it to catch illegitimate use. Unusual activity may emerge at the network protocol layer or in specific application contexts, such as credential utilization and authentication events.

Attackers will attempt to merge with standard network traffic, utilizing legitimate tools and systems to maneuver laterally, making detection difficult for conventional antivirus software. Awareness of the typical tools and processes that an attacker could leverage greatly enhances your ability to identify them.

The foremost challenge in network monitoring lies in distinguishing real security incidents from the frequent false positives generated by the high volume of ‘noise’ in a network. Understanding your network and the customary behavior of its users can help mitigate false positive occurrences, thus enabling you to better identify unusual activities. Network segmentation provides opportunities to focus monitoring efforts on specific traffic flow points established between segments.

In summary:

• Follow our network monitoring and Security Operations Centre (SOC) Buyers Guide publications.
• Enable logging and auditing features on your systems to detect unusual activities.
• Maintain an audit record of all devices that can connect to your network, and understand the high-value assets.
• Become acquainted with your network’s typical usage patterns.

8. Evaluate the Use of Honeypots

Honeypots are systems intentionally established for the purpose of attracting attacks.

Production honeypots deployed within a network act as decoys for legitimate systems and can be instrumental in detecting intrusions. Because honeypots lack actual data or services, unexpected connections are presumed to be hostile (as genuine users have no real reason to access them). Any interaction with the honeypot should be promptly investigated. Production honeypots should supplement existing network monitoring and intrusion detection methodologies.

Research honeypots, while lacking direct benefits for the network, are set up to acquire insights into the latest attacker techniques.

Utilizing honeypots introduces various risks—research honeypots may attract attackers encouraging interaction. Although production honeypots present less risk, they still carry certain risks based on complexity, such as the possibility of being exploited and utilized to launch attacks on legitimate systems within the network during lateral movement.

For this reason, honeypots should only be integrated after thorough consideration of the potential implications stemming from improper implementation and implementation by staff with the requisite expertise.

In summary:

• Contemplate incorporating a production honeypot into your organization, provided that your team possesses the requisite expertise and fully grasps the associated risks.