Mitigating Lateral Motion with Zero Belief Entry

[ad_1]

Safety service edge (SSE) know-how was created to guard distant and department customers with a unified, cloud-delivered safety stack. To know how SSE options shield organizations and their customers, it’s worthwhile to research attacker strategies, in addition to the protections and controls SSE options use to disrupt them.

It’s helpful to make use of the MITRE ATT&CK framework. MITRE ATT&CK is a big knowledgebase of attacker strategies that cybersecurity specialists use to explain the assault kill chains noticed, when learning risk exercise. This publish goes to make use of the Mitre ATT&CK framework to research particular strategies throughout the “lateral motion” class, describe how every approach works, and element how Cisco’s SSE answer, Cisco Safe Entry, can shield you from them.

Lateral Motion

Lateral motion is a essential section within the cyber kill chain. As soon as attackers have breached a single system or consumer account, they should develop their presence throughout the community to entry invaluable sources, delicate information, or extra permissive privileges. Lateral motion permits attackers to ascertain a foothold throughout the community, develop their attain, and obtain their goals.

Attackers use a wide range of strategies, equivalent to exploiting distant companies or infecting shared sources, to maneuver horizontally throughout the community and acquire unauthorized entry to extra essential techniques or privileged accounts. By maneuvering laterally, attackers can evade detection, preserve persistence, and maximize the affect of their assault.

In its Enterprise Matrix, the Mitre ATT&CK framework describes lateral motion as a class made up of 9 strategies, a number of with quite a few sub-techniques. Whereas that’s an excessive amount of to cowl on this weblog publish, let’s analyze a number of of the most typical strategies.

Exploitation of Distant Companies

One of many key strategies utilized in lateral motion is the exploitation of distant companies. On this approach, attackers are searching for a susceptible or misconfigured service that they’ll exploit to realize entry to the system it’s operating on. From there, they’ll proceed to use the distant system, usually establishing persistence to allow them to return to the system over and over and use it as launchpad to pivot deeper into the community.

Attackers often begin with discovering what companies are operating on an organization’s distant techniques, they usually use a wide range of discovery strategies to find out if any of them are susceptible to compromise. Most companies have had some form of vulnerability in some unspecified time in the future, and if any of them are left unpatched and outdated, that vulnerability could also be energetic. For instance, in 2017, the WannaCry ransomware used an exploit known as EternalBlue, which took benefit of a vulnerability within the server message block (SMB) protocol, to unfold world wide. As well as, functions that could be used within the inside community, equivalent to MySQL, might include vulnerabilities that attackers can exploit. Whereas many of those vulnerabilities might have patches accessible for them, oftentimes it’s tough to patch a useful resource or straightforward to miss it, leaving them susceptible to assaults.

Distant Companies

Generally, the attacker doesn’t must assault the distant service itself, however as a substitute, they’ll use legitimate credentials which were stolen another approach to make the most of distant companies supposed for workers. On this assault, the attacker obtains stolen credentials by way of strategies equivalent to phishing or credential stuffing.

As soon as they’ve these credentials, they’ll use distant entry companies equivalent to safe shell (SSH) or distant desktop protocol (RDP) to maneuver deeper into the community. Generally these credentials are utilized in centralized identification administration with single sign-on, which provides the attacker broad attain within the community if they’ll efficiently authenticate with the central identification supplier.

In some circumstances, authentic functions might make the most of distant companies, equivalent to software program deployment instruments or native distant desktop functions, which may typically be abused to acquire distant code execution or lateral motion.

Taint Shared Content material

Attackers might acquire entry to a shared useful resource, equivalent to a shared storage location like a cloud storage supplier. In these circumstances, attackers can leverage this entry to inject malicious applications, scripts, or exploit code to in any other case authentic information. When a consumer accesses the contaminated shared content material, the malicious payload executes, giving the adversary entry to the distant system, permitting to maneuver laterally deeper into the community.

For instance, in April 2023, Google’s Cybersecurity Motion Staff described an increase in risk actors utilizing Google Drive to ship malware and exfiltrate information. The report detailed a nation-state assault that was delivering an ISO file containing a malicious DLL by way of Google Drive. One other risk actor saved malware on Google Drive to evade detection and despatched phishing emails that contained hyperlinks to the malicious file. Yet one more risk actor used Google Drive as location to exfiltrate information to.

How Cisco Safe Entry Can Assist

Lateral motion is essential part of the cyber kill chain. Correctly addressing lateral motion requires a mixture of risk detection and coverage enforcement. One of many challenges organizations face when stopping lateral motion, or cyberattacks normally, is the excessive variety of distant customers. Previously, organizations relied on digital personal networks (VPNs) to allow distant customers to entry personal firm sources and to browse the Web with the safety of company safety.

There are a number of challenges to relying so closely on VPNs. For one, most firms constructed their VPN structure to serve a small minority of customers. As distant and hybrid work turned commonplace, customers stretched the capability of VPNs, usually resulting in efficiency issues. This leads customers to disconnect from VPNs the place potential simply to remain productive, which jeopardizes safety.

The opposite downside is zero belief entry insurance policies on VPNs are tough, usually requiring managing massive and complicated entry management lists. This has led to a state of affairs the place many firms don’t phase VPN site visitors in any respect. Which means that as soon as an attacker features entry to a company VPN, they’ll transfer laterally all through the community with relative ease. Lately, this has been a part of a number of high-profile breaches.

Cisco Safe Entry was designed to guard distant customers, wherever they’re and no matter they’re accessing, and to safe company sources that should now be accessible over the Web.

This includes inserting personal apps behind a layer of safety utilizing Zero Belief Community Entry (ZTNA). This know-how locations a safety boundary round your functions, and, because the title implies, applies zero belief entry insurance policies to any consumer making an attempt to hook up with the protected useful resource. These insurance policies may be so simple as guaranteeing a consumer is authenticated with MFA to posture assessments, equivalent to guaranteeing they’re utilizing an up to date working system or a corporate-managed gadget. It additionally helps logical group insurance policies, equivalent to guaranteeing solely engineers can entry code repositories or solely gross sales and assist can entry buyer relationship administration options.

These insurance policies are utilized on a per-user and per-application foundation, which creates segmentation between functions. That is essential in stopping lateral motion. If an attacker manages to bypass authentication and all entry insurance policies, their attain is restricted solely to that utility. They’re unable to pivot deeper into the community.

ZTNA isn’t the correct alternative for each utility, which is why Cisco Safe Entry additionally makes use of an built-in VPN-as-a-service (VPNaaS) for an entire Zero Belief Entry answer. This enables organizations to maneuver off bodily VPN infrastructure, enhancing efficiency for finish customers and decreasing administration complications. It’s also absolutely built-in into Cisco Safe Entry’ unified coverage administration, guaranteeing there may be nonetheless segmentation and 0 belief coverage enforcement.

As well as, Safe Entry consists of an built-in Firewall-as-a-service (FWaaS) with an intrusion prevention system. This protects site visitors over non-web protocols and blocks vulnerabilities equivalent to these utilized by WannaCry ransomware.

The opposite a part of stopping lateral motion is obstructing preliminary entry by defending the consumer when they’re browsing the Web. That is achieved by blocking phishing web sites, blocking malware, and imposing information loss prevention insurance policies. This tremendously decreases the chance the consumer’s account or machine will grow to be compromised, which may stop attackers from ever attending to the lateral motion section of the kill chain.

Cisco Safe Entry cancan ship all these outcomes and capabilities by unifying twelve completely different safety applied sciences right into a single, unified, cloud-delivered platform. This is named a safety service edge (SSE) answer. At its core, an SSE answer gives safe entry to the Web, cloud companies, and personal functions for customers, no matter the place they’re positioned. It delivers zero belief entry management, risk safety, information safety, and acceptable use coverage enforcement for all customers and sources. SSE is the safety part of the safe entry service edge (SASE) structure, which mixes networking and safety to streamline operations, improve safety resilience, present end-to-end safety, and securely join customers to sources.

Cisco Safe Entry gives a greater expertise for finish customers by simplifying entry flows. Customers not want to fret about managing VPN connections. After they attempt to entry functions, it simply works. It additionally makes IT administration simpler. It makes use of a single, unified coverage administration dashboard for all its part components. Lastly, it makes everybody safer by leveraging superior safety capabilities to mitigate danger.

To study extra about Cisco Safe Entry, watch the webinar Deep Dive right into a Trendy Zero Belief Entry (ZTA) Structure.


We’d love to listen to what you assume. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safety on social!

Cisco Safety Social Channels

Instagram
Fb
Twitter
LinkedIn

Share:



[ad_2]


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *