Page 73 - Cyber Defense eMagazine April 2021 Edition
P. 73
The sheer size and scale of the SolarWinds attack indicates that traditional attack mitigation
strategies and technologies are not adequate on their own for stopping human-guided attacks like APTs or
advanced ransomware. If an organization isn’t using technology that can detect and stop the lateral move-
ment component of a typical contemporary cyber-attack, they will continue to be vulnerable and at-risk of a
successful incursion. Organizations must augment their strategies to stop human-operated attacks as they
move through their networks and prevent them from accessing systems and endpoints at scale.
Why are lateral movement attacks still happening?
With great opportunity comes great evolution, and the lateral movement attacks of the 2020s are more so-
phisticated than ever before. These kinds of attacks are now so prevalent that they’re used in nearly every
other kind of cyber-attack, even though the time it takes to detect a network intrusion dropped from 418 days
in 2011 to 78 days in 2019. Once an attacker is able to establish a
beachhead, they can cause massive amounts of damage to organizations and even force them out of busi-
ness.
There are several reasons why lateral movement attacks are still happening: 1) the size of the
attack surface makes it difficult to prevent attackers from establishing a beachhead; 2) the attacker has ac-
cess to increasingly sophisticated tools; and 3) limitations in our existing security controls for detecting and
preventing lateral movement.
A notable recent contributor to the increased attack surface is the current pandemic forcing
employees to work from home (WFH), expanding the attack surface far beyond what security teams expect-
ed to manage. Employee home networks rarely have the security controls in place that
corporate networks do, from security appliances to management software. The WFH user can
represent an easier target for threat actors to establish a beachhead, and once compromised, can offer a
path to targeted crown jewels. Moreover, the shift to work from home significantly changed the behavior de-
fined as normal by anomaly-based detection systems, resulting in a significant
increase in false positive alerts. It’s difficult to establish a baseline for behavior-based detection when nearly
everyone’s behavior patterns are changing.
To better exploit this extensive and changing attack surface, attackers have easy access to
increasingly sophisticated tools. For example, they can access easy to use Ransom-as-a-Service (RaaS),
with a sophisticated toolset, in exchange for splitting their payouts with the RaaS operator.
Current security controls are more focused on the perimeter, defensive in nature and relying on
signatures and anomalies for detection. When the attacker circumvents the perimeter, it’s far too easy for
them to move laterally without detection. Threat actors look to move laterally within
networks because before they can steal data, they need to understand what data is available on the network
in the first place. While extended dwell time makes it easier in some cases to detect and stop the threat
actors before attacks can hit paydirt, it also means that a straightforward endpoint threat detection and re-
sponse (EDR) will not always detect activity leveraging legitimate
connectivity and normal behavior to avoid anomaly-based
detection.
73 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
