A key characteristic of sophisticated, targeted attacks against computer networks is lateralization. While simpler crimes are often committed by infecting individual devices with malware, for more advanced attacks the initial point of infection is just the beginning of the process.
Using this foothold, an attacker will branch out within the organization to compromise other computers, with the ultimate goal of gaining administrative control over the entire network.
Over the past few years a growing body of knowledge has been documented by both attackers and defenders on how to perform lateralization within a Microsoft Windows network. This includes how to start from an initial point of infection with limited privileges, and pivot within the network to obtain control of an account with Administrative privileges for the entire Domain. These techniques are used by nation states and penetration testers alike, and more recently have become associated with targeted ransomware campaigns.
In a remarkable talk at last summer’s Blackhat Briefings titled “The Industrial Revolution of Lateral Movement”, Tal Be’ery (an Independent Security Researcher) and Tal Maor (Microsoft) argued that Windows Domain lateralization is about to become a lot more widespread. They pointed out that all of the steps involved in these attacks, which were previously performed manually, have now been fully automated in software. All that remains for an attacker to do is pull those pieces together.
Late last year my friend and colleague John Terrill, who is CISO for Fox News and Fox Television Stations, as well as the Chair of the Advisory Board for OPAQ Networks (where I work), predicted that we could see a major Internet worm exploiting these Windows Domain lateralization techniques as one of its propagation methods within the next 12-18 months.
Preventing Windows Domain lateralization should be a high priority for any IT organization now that these alarms have been sounded. In their presentation, the two Tals provide three valuable recommendations for reducing the attack surface within Windows Domains.
The first is a simple best practice — reduce the number of people who have Domain Admin access, and reduce the frequency with which those accounts are used. Microsoft’s hardening guides advise that Domain Admin accounts are only needed in build and disaster recovery scenarios, and there should be no day-to-day user accounts in the Domain Admin group. If only every IT organization operated on this footing!
The second is to limit access to some of the APIs that attackers use to perform the reconnaissance phase of a Domain lateralization attack. Microsoft has released two tools that help accomplish this. One is called SAMRi10, which alters the default permissions for remote SAM access on Windows 10 and Windows Server 2016. The other tool, called Net Cease, alters the default permissions settings for Net Session Enumeration.
The third recommendation is to reduce the interconnectivity that attackers can exploit within the internal network, using network segmentation and internal enforcement of multi-factor authentication. This not only helps contain the threat of Windows Domain lateralization, it also reduces the risk posed by other potential threats within the network, such as worms like WannaCry.
For enterprises, implementing internal network segmentation poses a unique set of challenges. The configuration of network switches and VLANs is relatively inflexible and usually driven by the need to provide connectivity rather than security. Organizing machines with different security requirements on different VLANs can be a chore, and as soon as the work is done, users demand changes. Deploying multi-factor authentication for internal applications and services can also be a daunting project as each application must be separately integrated.
However, a new approach has emerged called software-defined network segmentation. Also known as microsegmentation, this technology is sometimes deployed within data centers to control east-west traffic. It is also a powerful tool for locking down enterprise workstation environments.
By loading software onto end user workstations that provides software-defined network segmentation capabilities, it is possible to centrally enforce policies that prevent devices from talking to each other. These capabilities can also be used to define granular access segments for users that operate independently from the network’s physical topology, and can be easily updated when business needs change.
Furthermore, software-defined network segmentation can enforce multi-factor authentication for access to any resource or service on the network, without any need to integrate individual applications. This is possible because software-defined network segmentation involves a central controller that oversees all communication within the network and can authenticate users before allowing traffic to flow.
The threat of widespread, automated attacks that exploit Windows Domain lateralization is a real and present danger. CSOs and their teams should take steps to harden their internal networks against these attack scenarios using the best practices mentioned above, and consider emerging approaches like software-defined network segmentation.
This article is published as part of the IDG Contributor Network. Want to Join?