Cyberattacks vary in their end goals, depending on who is behind the attack and what motivates them. But whether the adversaries are trying to make damage, launch ransomware, or steal your data, they all go through a number of common steps before they make the intended impact. The attackers need to gain initial access to the environment, evade your defensive measures, and often escalate privileges and move laterally to get from the initial point of entry to the targets that have the most value.
Let’s look at one of the key attack tactics, the lateral movement. What it is, why it is important to pay attention, and how to minimize the impact for the organization by stopping the adversaries from moving around your environment.
What is lateral movement?
Lateral movement is a set of techniques that threat actors use to progressively manoeuvre throughout a network environment. Depending on their objectives, threat actors navigate around your network to find the targets, often in multiple hops between various systems. These hops are often opportunistic, and the attacker may not always know where they move next. Hackers typically start moving around the network after they’ve already gained initial access (for example, as a result of successful phishing email) and some level of administrative privileges.
This admin access can then be used to launch various attack techniques, such as Pass-the-Hash (PtH) exploit vulnerabilities in remote services (for example, RDP), or even hijack legitimate remote services sessions to move to another system, or to look for artefacts to leverage.
Lateral movement can be particularly dangerous as attackers take advantage of existing privileged access permissions. This activity is extremely difficult to detect because the attackers are harnessing legitimate privileges throughout the organisation in order to unpredictably move around from system to system.
Mitigations against lateral movement
No single “silver bullet” solution can prevent adversarial lateral movement and still ensure legitimate user activity is not impacted. Organizations use a combination of configuration hardening, network segmentation, multi-factor authentication, and various other mitigation approaches to build multi-layered defense.
One of the important components of this defense-in-depth strategy is Privileged Account Management (PAM). The concept of PAM is to remove high privileges from regular user accounts and use dedicated “administrative” accounts with limited access for specific purposes. This would reduce a chance of successful lateral movement in case a non-privileged user account is compromised.
Traditionally, organisations have maintained dozens, if not hundreds, of such privileged accounts to enable essential administrative tasks in the IT ecosystem. However, with today’s cyber criminals becoming increasingly advanced in their tactics these, privileged credentials represent a serious security risk. They can be hijacked by attackers or misused by insiders, either accidentally or maliciously. Therefore, privileged access management has focused primarily on locking down those accounts, resulting in a complex ongoing struggle to reduce and manage the associated risks.
Against this backdrop, Privileged Activity Management – an evolution of the traditional concept of Privileged Account Management – has emerged as an effective way to reduce online attack surfaces and secure data and networks from adversarial lateral movement.
The evolution of PAM
The traditional concept of Privileged Account Management centred around a vault, which rotated user accounts and credentials according to policy. With this approach, passwords were changed as soon as users had finished their session. Over time, Privileged Account Management morphed into Privileged Access Management, which incorporated session proxies, improving network segmentation and security, and offered the ability to record what was happening within the network, while accounts themselves remained stored in the vault.
However, the problem with this approach is that you end up with what’s known as ‘standing privilege’. In most environments, attackers are not interested in vaults or passwords per se; they are looking for artifacts in a network that can be leveraged in order to gain access to a privileged account and to move laterally without being noticed. Therefore, the greater the number of privileged accounts, the bigger the attack surface available to attackers and the greater opportunity for lateral movement throughout a network.
The traditional notion of PAM has lulled many into a false sense of security, which is where Privileged Activity Management comes in. The goal here is to fix the resulting standing privilege problem by only creating privilege when a user is actively using it. All administrative accounts that are used by organisations on a daily basis tend to be highly privileged, often with some super or admin user privileges attached. And as these accounts usually retain their privileges post-use, the more of these that an organisation has, the bigger the security threat.
The best practice is to keep the environment as close to zero standing privilege as possible, which effectively means that no privileges are assigned to accounts when they are not in direct use. Privilege is only added when it’s needed – during an ‘activity’ – and it’s removed at the end of the session. These accounts then no longer pose a risk and cannot be leveraged by threat actors. This approach not only removes a means of lateral movement for a would-be attacker, but it also significantly reduces the compliance burden facing organisations.
To use an analogy, we wouldn’t expect a fleet of taxis to wait outside our home, with each one pre-programmed to go to different destinations, just in case they are needed. And the same should be true of privileged accounts. In a traditional PAM paradigm, organizations have to maintain multiple accounts, one per “destination” (e.g., one for Active Directory and another for SQL Server) to avoid accumulating too much destructive power in a single account and reduce the potential damage. But the accounts are still there, like pre-programmed taxis outside your home. A zero standing privilege model provides a greatly reduced attack surface and eases compliance headaches into the bargain, as privileges are removed at the end of each session (on-demand privilege).
In a time when cybercriminals are becoming increasingly advanced in their methods of attack, it is incumbent on organisations to ensure that their networks and data are as robustly defended as possible. It is high time to retire the conventional approach to Privileged Account Management. Modern Privileged Access Management takes a vastly different approach, providing each admin with just enough access to perform a specific task and only for as long as it takes to perform that task. By eliminating the need to have all those standing privileged accounts at all, and maintaining as close to a zero standing privilege as possible, organisations can thereby reduce their attack surface and remove opportunities for attackers to infiltrate security systems, while greatly reducing management overheads in the process.
