t cht lk
“
LOOK FOR SOLUTIONS
THAT CAN ALSO RESTRICT
ACCESS BASED ON THE RISK
ASSOCIATED WITH THE
ENVIRONMENT OR ACTIVITY.
that end, below are 10 steps organisations
can take to stop lateral movement:
1. Use Standard User Accounts.
Enforce that all users have a standard
user account. Administrators across
all platforms should log in with
their standard accounts as normal
practice. They should only log in with
administrative rights when they need to
perform administrative tasks. This might
sound obvious and reasonable but in
practice, doesn’t always happen.
2. Enforce the Principle of Least
Privilege. If a user does not need access
to systems, applications or data, remove
it. As a first step remove administrator
rights on desktops for all users.
3. Implement Application Whitelisting.
Implement policy to allow known good
applications and log all other applications
and launch attempts. If possible, restrict
launching of end user applications with
known critical security vulnerabilities.
were targeted. Once inside the network,
attackers begin to learn about the network,
the layout, the assets.
They begin to move laterally to other
systems and look for opportunities to collect
additional credentials, upgrade privileges, or
just use the privileges that they have already
compromised to access systems, applications
and data. Lastly, the attacker collects,
packages and eventually exfiltrates the data.
4. Require Multifactor Authentication.
Implement multi-factor authentication
for access to internal systems,
applications and even data. While
implementing static multi-factor
authentication based on whether a
system or application is good, getting
too restrictive can become frustrating
for users. Look for solutions that can
also restrict access based on the risk
associated with the environment or
activity. For example, if someone tries
to launch a sensitive application after
hours for the first time, or tries to run
a sensitive command on the Unix
server that is missing critical patches,
step up the security and trigger to re-
authenticate with multi-factor.
How to stop lateral movement
Brad Hibbert, Lead Solutions Strategist
at BeyondTrust
96
INTELLIGENTCIO
While the Data Breach Investigations Report
and nearly every security vendor on the
planet makes recommendations on reducing
the risks associated with each stage of the
attack, it is worth focusing on the stage
related to lateral movement. If you can
create barriers to move laterally you may be
able to protect access to high-value assets, or
at least slow the attacker down enough that
you can adequately contain the outbreak
and mitigate the impact of the breach. To
5. Use Context-Based and Adaptive
Access Controls. At some point
people need access to do their jobs,
but continue to lock down when they
have access, and from which location
they have access. Restricting access
based on static elements like time of
day or subnet is good, but restricting
access dynamically based on risk (i.e.
does a ticket exist for the access, does
this request adhere to a normal access
pattern, have I received recent alerts
www.intelligentcio.com