By Keith Wilson
One of the most damaging assumptions an organization can make is to assume an attacker’s end goal is to compromise a network. The majority of threat actors are after your data, not just circumventing firewalls and access controls. If they gain access to your network but get found out before they can steal anything, the attack was most likely considered a failure.
To assume you have lost the moment an attacker gains entry to the network is dangerous because it leads security teams to pour all of their money into shoring up perimeter defenses while leaving internal network security lax.
The truth is it is too difficult to keep every attacker out to rely solely on this tactic for defense. Security teams need to diversify by monitoring for lateral movement.
After an intruder has infiltrated your network, they need to complete a series of steps to reach their end goal – exfiltrating data.
This is commonly comprised of lateral movement, especially when it comes to advanced persistent threats (APTs) and “low and slow” tactics.
Lateral movement
consists of two basic activities:
- Reconnaissance
- Extending reach
With the right tools, all of these actions can be detected quickly, allowing security personnel to mitigate the attack before any data is lost. Below is a description of each of these phases and how the StealthWatch® System detects them.
Reconnaissance
In order to find valuable data and move laterally throughout the network, the attacker must learn the network topology. Understanding the network layout, what services are in use, what security and access control methods are in place and what operating systems are present is a critical step in the attack. Attackers can use a variety of methods to accomplish this, but they will commonly use port scanning tools and ping sweeps, both of which are detected by StealthWatch.
By obtaining comprehensive network visibility, monitoring metadata and building traffic trends and behavior profiles, the StealthWatch System can identify port scanning activity coming from a machine that shouldn’t be exhibiting that behavior. This activity contributes to a Concern Index, and when the index passes a defined acceptable threshold, StealthWatch then alerts the security teams. By conducting a short forensic investigation into the network traffic audit trail, security operators can quickly assess the legitimacy of the action and identify any other malicious behavior coming from the machine. Within minutes, they can understand the source and reach of an internal threat, allowing them to remove every foothold and shut down the attacker’s method of entry.
Extending reach
After reconnaissance, the attacker will turn their attention to escalating privileges and extending their reach across the network. Using remote access tools, they can access desktops and execute programs, collect more data and improve their presence on the network. Once they have extended their reach far enough to access the target data, the attacker will begin preparing for exfiltration. Stopping them at this stage may be your last chance to prevent a breach.
Remote access is common in many organizations, so this activity may not trigger any alarms in traditional security solutions. The StealthWatch System addresses this problem by again looking to past activity trends and identifying anomalous behavior. Most users interact with the same machines and services on a day-to-day basis, but attackers break this trend because they are actively looking to compromise as many machines as possible. StealthWatch keeps tracks of what machines talk to each other regularly, what resources users access regularly, how much data is transferred to or from each host and what time frame these activities take place in. A deviation from any of these trends – and many more – will trigger an alert in StealthWatch.
Additionally, StealthWatch users can pull reports to find out what machines interacted with a compromised host in the past. This can help investigators determine the scope of an attack as well as assist in removing a foothold an attacker may have left on the network.
This protection doesn’t only cover users but is also extended to specialized network devices and servers. With the prevalence of insecure Internet of Things (IoT) and embedded devices in many modern networks, attackers often use these machines as pivot points and home bases. It is difficult to deploy end-point protection on these devices because they often use custom software. StealthWatch is able to detect malicious activity coming from these machines by monitoring them from the network level, eliminating a critical blind spot.
Conclusion
Guarding the network perimeter is no longer a sufficient defense measure. All networks will be compromised at some point. When it happens, the attacker will begin moving laterally, surveying the network, obtaining new privileges and extending their reach until they have collected everything they want for exfiltration. Without the right tools, this activity could lead to a devastating data breach. However, using the StealthWatch System, you can identify activities associated with lateral movement in real time, allowing you to stop the threat before you lose your data.
To learn more about detecting lateral movement and APTs, read our brief “Combating APTs with NetFlow.”
Contact me for your WebEx demonstration of StealthWatch
