Page 32 - Cyber Defense Magazine for August 2020
P. 32
Assessing and Addressing These New Risks
A balance of security controls is necessary for initial compromise, lateral movement, privilege escalation,
and data loss prevention. If the attackers have already evaded EPP and EDR tools and compromised an
internal system, technology like cyber deception plays a valuable role in detecting lateral movement and
protecting applications from unauthorized access. Additionally, data loss prevention capabilities can stop
employees (or attackers) from saving sensitive information to personal devices.
Improving lateral movement detection is vital. After the initial compromise of a network, there is a dark
period of lateral movement and privilege escalation before the data protection tools detect anything. This
lack of visibility means that there is no detection mechanism present until the tail end of the attack, which
may be too late. Most security controls will also have challenges pinpointing attack path vulnerabilities,
and tactics, techniques, and procedures (TTPs). Unless the organization has a mechanism to record an
attacker’s activity during a live attack (like a decoy or engagement environment), it can be difficult for
security teams to understand the attack methods, their objectives, and how broad of a footprint the
attacker has established.
To this end, it is vital to have visibility into attack paths to essential assets and network activity that
includes seeing devices coming on or off the network, and can they find shadow admin accounts? This
sort of credential tracking is more important than ever and having the correct tools in place can stop the
execution of a successful breach. Decoys can also record and replay attacks for a better correlation of
attack activities and gathering company-specific threat intelligence.
The spike in remote employees underscores the need to boost VPN security, as new traffic patterns amid
remote work have shattered traditional activity baselines and made suspicious behavior harder to identify.
This need also applies to cloud security as well, since much of the remote work uses PaaS, SaaS, and
IaaS accounts to collaborate between sites. Decoys systems and accounts can also identify
unauthorized attempts to gain credential or administrative access to the VPN network segment or cloud
service, giving organizations visibility into suspicious activity in those areas.
Active Directory is also a prime target, and the ability to track unauthorized AD queries from endpoints is
critical. Attackers target AD because it contains all the information, objects, and accounts they need to
compromise an enterprise network, and such activity is difficult to detect. Detection capabilities that alert
on unauthorized queries and misinform attackers can be instrumental in derailing this form of attack.
Layered Defenses Secure the Present and the Future
To invoke a sports analogy, you can’t spike the football before you get to the end zone. There remains a
legitimate likelihood that attackers are actively lurking in networks. The situation underscores the
importance of layered defenses that forces attackers to jump as many hurdles as possible to conduct
their attacks. Attackers have taken advantage of the unfamiliar remote working situation to enter
corporate networks, so it is vital to have protections in place to detect their lateral movement within those
networks and stop them before harm can be done.
Cyber Defense eMagazine – August 2020 Edition 32
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.