Lateral movement is one of the most consequential types of network activity for which organizations need to be on the lookout. After accessing a network, the attacker maintains ongoing access by essentially stirring through the compromised environment and obtaining increased privileges (known as “escalation of privileges”) using various tools and techniques. Attackers then use those privileges to move deeper into a network in search of treasured data and other value-based assets.
Lateral movement is an important approach that differentiates today’s advanced persistent threats (APTs) from traditional cyberattacks. It’s a sign of threat actors who are sophisticated enough to work towards avoiding detection and retaining access even if their presence is discovered on the machine that it first infected. With this extended dwell time, the threat actor might not begin pilfering data until weeks or even months after the original breach occurred.
Network Knowledge: The Key to Beating Lateral Movement
In order to defend against lateral movement, it’s important to understand what the environment should look like, how it is managed, and how it can be set up for optimal operations.
Having a security baseline that’s tied to critical information security controls is of paramount importance in that effort. Indeed, as hardware, software, and other assets deviate from their secure baselines, these changes become clear indicators of whether something is out of compliance with the baseline’s “golden image.” But, what processes should you use to maintain the configurations? What is the process going to be for ongoing monitoring for change in these devices?
As an example, imagine that your router deviates from its baseline configuration. You need to be able to identify what those changes were in order to figure out if they’re part of suspicious activity. Regardless of whether they’re benign or malicious, you then need to understand how those changes impact the rest of the environment at large and whether, or how, those events impact operational uptime.
Detective-Based Controls to the Rescue
As we put this all together, the need becomes more apparent to have detection-based controls that tie into the operation of the environment. It’s imperative for this detective control to be able to tell us what is going on in our specific environment “in-time.”
Detective controls serve to detect and report undesirable events that are taking place.
The classic example of a detective control can be found in commercial or home burglar alarms (intrusion detection systems). Such solutions typically monitor for indicators of unauthorized activity, such as doors or windows being opened, or glass being broken. They can also watch for suspicious movement, electrical outages, temperature changes, and undesirable environmental conditions such as flooding, smoke, fire, and excessive carbon dioxide in the air.
The Case for “File Integrity Monitoring”
File Integrity Monitoring (FIM) is an internal detective control or process that performs the act of validating operating system and application software by comparing the current state against the known, good baseline.
This comparison method often involves calculating a known cryptographic checksum of the file’s original baseline and comparing that with the calculated checksum of the current state of the file. Other file attributes can also be used to monitor integrity, as well.
Generally, the act of performing file integrity monitoring is automated using internal controls. Such monitoring can be performed randomly, at a defined polling interval, or in real-time. These options provide the organization with an advantage when it comes to detecting attacks and identifying risk.
How It Works
True FIM detects change by first establishing a highly detailed baseline version of each monitored file or configuration in a known and trusted state. Using real-time monitoring, it detects any change that affects any aspect of the file or configuration and captures these in subsequent versions. These versions, in turn, provide critical “before” and “after” views that show exactly who made the change, what changed and more.
Additionally, a true FIM solution applies change intelligence to each modification to determine if it impacts integrity rules, for example. This helps to determine if the change takes a configuration out of policy or if it is the setting that is typically associated with an attack. This is truly important when you are trying to understand what is happening to your environment “in-time.” Remember, lateral movement is what attackers can do through large amounts of “dwell” time on your network as they prepare to escalate privileges and position themselves for all kinds of mischief.
Detecting Change with Detective Controls
By applying detective controls in your environment on critical servers, firewalls, file systems, network devices, database, applications, security infrastructure, Tripwire can effortlessly help companies to be much more focused on detecting change in these systems in a comprehensive way. It can thereby provide an analytical picture that helps to keep risk to a functional and operational level in an organization.
For more information about Tripwire’s approach to FIM, click here.