It will be rare that an attacker exploits a single system and does not attempt any lateral movement within the network. Even ransomware that typically targets a single system at a time has attempted to spread across the network looking for other victims. More often than not, an attacker will gain an initial foothold and start to pivot across systems looking to gain higher access in search for their ultimate objectives.
There’s good news when it comes to both mitigating and detecting abuse of this specific technique: proper network segmentation makes mitigation in large part possible. Placing critical systems in one subnet, generic users in another, and system administrators in a third is a quick way to help isolate lateral movement in smaller networks. Placing firewalls on both the endpoints and the switch level will also help limit lateral movement. Relying on only endpoint firewalls will be a management nightmare, while relying only on network firewalls will allow pivoting on the same network.
Following CIS Control 14, Controlled Access Based on the Need to Know, is a great starting point when looking for guidance on how to mitigate most of these threats. In addition to that, follow Control 4, Controlled Use of Administrative Privileges, as well. Attackers are after administrator credentials, so tightly controlling how and where they are used will make it more difficult for attackers to steal them. The other portion of this control is logging administrative credential use. Even though administrators are using their credentials on a daily basis, they should fall into routine patterns. Identifying anomalous behavior can be an indication that an attacker is abusing valid credentials.
Beyond monitoring authentication logs, the audit logs are critical, as well. Event ID 4769 on a domain controller will be an indication that a Kerberos golden ticket password has been reset twice, which can be an indication of Pass the Ticket abuse. Or if an attacker is abusing Remote Desktop Protocol, then audit logs will provide information about the attacker’s machine.
This is one of three tactics in the ATT&CK framework which deals heavily on network traffic. It is important to have a solid security architecture for both endpoints as well as network devices. Don’t forget that CIS and DISA have hardening guidelines for network devices. Having an exposed network device can be just as bad as not having any segmentation at all.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control