Lateral Movement: Do You have Enough Eyes?

Lateral Movement: Do You have Enough Eyes?

Sophisticated attackers can find their way into a corporate network in many ways. An attack could come from an external source, through the exploitation of a service, or by being brought in by a user whose laptop has been infected while traveling. As the network infrastructure of an enterprise evolves, its exposure to attacks evolves as well. For this reason, it is challenging to provide a comprehensive approach that will prevent all attacks: sooner or later, an attack will be successful in penetrating the enterprise network.

So, what’s next?

To understand what is required to provide in-depth, continuous protection, one has to put oneself into the mind of the attacker: Now that the attacker has access to one of the hosts in the network, he will do anything in his power to expand and solidify his presence.

To become more persistent, the attacker can use various techniques, at different levels of abstraction. The installation of services is one technique that allows for the compromise to survive the rebooting of a host. Deeper modifications, such as the introduction of kernel-level rootkits, might provide the additional capability of hiding the presence of the attacker from system administrators.

Once the hooks are in, the attacker will try to spread throughout the network, for two main reasons. First of all, by compromising multiple hosts the attacker can improve the probability to survive a cleanup operation. Second, each new compromised host might provide valuable information (password, hashes, documents, access to file shares). In fact, not all hosts are created equal, and some specific computers might have access to sensitive information.

The activity of moving from host to host internally is often called “lateral movement”. Lateral movement includes the scanning for other network resources (hosts, services, file shares, etc.), the collection and exploitation of credentials (for example, the collection of unencrypted password from the memory of running processes, or the retrieval of hashes in order to perform “pass the hash” attacks), and the collection of sensitive information for exfiltration (for example, the email messages of a specific user).

The main problem with detecting lateral movement is that it is, indeed, lateral. As a result, solutions that operate exclusively at the gateway will not be able to observe this activity. Unfortunately, most network-based breach detection systems and anti-APT solutions are confined to the gateway, partly because of architectural reasons, and partly because of costs. In fact, anti-malware gateway appliances might have very substantial costs (often with six figure numbers) and, as a consequence, they cannot be deployed at each network switch or router, as the resulting cost would be prohibitive.

Host-based solutions can help in providing visibility, but since they operate in the same space of the attacker, they can easily be disabled, blinded, or even exploited in “confused deputy” attacks, in which a benign component is tricked into performing malicious tasks. For these reasons, having network-level visibility over lateral movement is key in receiving early warning about the spread of a threat throughout the enterprise network.

This is why Lastline focuses on providing a solution that allows for the monitoring of multiple (actually unlimited) networks at no additional cost. In Lastline’s model, the customer acquires a software license whose cost is based on the number of users being protected. Then, the network sensors that analyze breach-related activity can be installed on customer-provided commodity hardware that costs only a fraction of the cost of a standard appliance as well as on virtual appliances that can monitor movement in non-physical networks. Because of this deployment model, Lastline’s customers can monitor dozens of networks at the cost of a single gateway box, gaining visibility into critical lateral movement activity in their network.

For example, Lastline can identify the transfer of malicious files into internal shares, which is a technique often used to spread infections. In this case, the attacker might upload a malicious PDF document to a shared directory and then send an email from a compromised internal account with a link to the file. The recipients would see an internal email with a link to an internal file, which would, in most cases, result in the recipients opening the file, resulting in the compromise of the account.

Lastline focuses on providing sophisticated anti-malware solutions that “connect the dots” between network activity (C&C activity, network attacks, file transfers, lateral movement) and artifact analysis (executables, PDF files, office documents). By correlating different pieces of the evidence collected both at the gateway and within internal networks, Lastline provides a comprehensive solution to the detection of the most sophisticated breaches in a cost-effective manner.

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna