Break the Attack Chain: Developing the Position to Detect Lateral Movement Attacks 

Share with your network!

In this three-part “Break the Attack Chain” blog series, we look at how threat actors compromise our defenses and move laterally within our networks to escalate privileges and prepare for their final endgame.  

If one phrase could sum up the current state of the threat landscape, it is this: Threat actors don’t break in. They log in.  

Rather than spend time trying to circumnavigate or brute force their way through our defenses, today’s cybercriminals set their sights firmly on our users. Or to be more accurate, their highly prized credentials and identities.  

This remains true at almost every stage of the attack chain. Identities are not just an incredibly efficient way into our organizations, they also stand in the way of the most valuable and sensitive data. As a result, the cat-and-mouse game of cybersecurity is becoming increasingly like chess, with the traditional smash-and-grab approach making way for a more methodical M.O.  

Cybercriminals are now adept at moving laterally through our networks, compromising additional users to escalate privileges and lay the necessary groundwork for the endgame.  

While this more tactical gambit has the potential to do significant damage, it also gives security teams many more opportunities to spot and thwart attacks. If we understand the threat actor’s playbook from the initial compromise to impact, we can follow suit and place protections along the length of the attack chain.    

Understanding the opening repertoire  

To continue our chess analogy, the more we understand our adversary’s opening repertoire, the better equipped we are to counter it.  

When it comes to lateral movement, we can be sure that the vast majority of threat actors will follow the line of least resistance. Why attempt to break through defenses and risk detection when it is much easier to search for credentials that are stored on the compromised endpoint?  

This could be a search for password.txt files, stored Remote Desktop Protocol (RDP) credentials, and anything of value that could be sitting in the recycle bin. If it sounds scarily simple, that’s because it is. This approach does not require admin privileges. It is unlikely to trigger any alarms. And unfortunately, it’s successful time and time again.  

Proofpoint has found through our research that one in six endpoints contain an exploitable identity risk that allows threat actors to escalate privileges and move laterally using this data. (Learn more in our Analyzing Identity Risks report.) 

When it comes to large-scale attacks, DCSync is also now the norm. Nation-states and many hacking groups use it. It is so ubiquitous that if it were a zero-day, security leaders would be crying out for a patch.  

However, as there is general acceptance that Active Directory is so difficult to secure, there is also an acceptance that vulnerabilities like this will continue to exist.  

In simple terms, a DCSync attack allows a threat actor to simulate the behavior of a domain controller and retrieve password data on privileged users from Active Directory. And, once again, it is incredibly easy to execute.  

With a simple PowerShell command, threat actors can find users with the permissions they require. Add an off-the-shelf tool like Mimikatz into the mix, and within seconds, they can access every hash and every Active Directory privilege on the network.  

Mastering our defense 

With threat actors inside our organizations, it is too late for traditional perimeter protections. Instead, we must take steps to limit attackers’ access to further privileges and encourage them to reveal their movements.  

This starts with an assessment of our environment. Proofpoint Identity Threat Defense offers complete transparency, allowing security teams to see where they are most vulnerable. With this information, we can shrink the potential attack surface by increasing protections around privileged users and cleaning up endpoints to make it harder for cybercriminals to access valuable identities. 

With Proofpoint Identity Threat Defense, we can run these processes automatically to continuously remediate real-time vulnerabilities, even when attackers are already moving laterally across our environments. 

But of course, for as long as cybercriminals are behind our defenses, we cannot rest easy. So, as well as limiting the potential for escalation, we must also tempt malicious actors out into the open, revealing their tools, techniques and procedures.  

We can do this by expanding the perceived attack surface. Proofpoint Identity Threat Defense uses over 75 deception techniques to imitate credentials, connections, data, systems and other artifacts that appear useful to an attacker. 

We know most cybercriminals follow that line of least resistance. So, we can be confident that they will move to take our queen if it appears to be exposed. But this time, they trigger our defenses—giving us insight into compromised logins, screenshots of malicious activity and much more.  

This approach allows security teams to detect and stop lateral movement—and it gives us a view from the attacker’s perspective. We can see how close threat actors got to critical assets, how they got there and how they interact with our deceptive data. All this information helps us hone our defensive playbook in preparation for attackers’ inevitable next move. 

Learn more 

Watch this webinar to get more insight into how you can break the attack chain and protect your people with human-centric security solutions. 

Find out more about Proofpoint Identity Threat Defense, and come back next week for a breakdown of the final stage of the attack chain—staging and impact.