How to tackle the security challenges of lateral network traffic

When it comes to designing and deploying effective IT security, understandably, most of the focus tends to be on the network perimeter. The assumption is that keeping cybercriminals out reduces the risk of disruption and data loss.

However, this approach overlooks an important fact – attackers use many tools and methods to evade perimeter defenses and infiltrate the network, and once inside, they can remain hidden for months. One of the most popular cybercriminal tactics to find targets and spread throughout the network while staying undetected is east/west (or lateral) movement. Lateral movement occurs when traffic originates from one internal host or network segment, destined for another internal host or network segment.

It’s reached the stage where ensuring good threat detection for lateral network traffic has never been more critical for organisations. The ability to move undetected through the network is vital for successful attacks. Detecting that movement is increasingly essential as sophisticated ransomware gains traction and sees increased usage.

Organisations can choose from a range of methods based upon signatures, database look up and pattern matching to address the challenge of detecting malicious lateral network traffic. There are pro’s to each method. However,  each has limitations that ultimately, which constrain their effectiveness. These methods include:

  • Logging at the endpoint to detect lateral movement:
    With this approach, organisations use technology such as security information and event management (SIEM) logging to aggregate and monitor endpoint logs for network communications to look for suspicious behaviour that might indicate a security incident.

    These capabilities exist in all modern operating systems, making them readily available; however, log data storage and analysis can be a big challenge.

  • Monitoring agents at every endpoint to detect lateral movement:
    This approach involves deploying agents, such as endpoint detection and response (EDR) tools, that can log network connections and look for suspicious communications. Many EDR products have this function, and using behavioural detection provides insights that include forensics.

    However, as with logging at the endpoint, storage and analytics at scale is a challenge. Companies need to install agents at every endpoint. While EDR agents work well for real-time detection, managing the large and growing volume of alerts generated can be overwhelming for cybersecurity teams.

  • Deploying NetFlow collection at core routers and switches:
    NetFlow, a network protocol developed by Cisco, analyses network traffic flow and volume to determine where the traffic originates, where it’s going, and how much the networked devices are generating. It’s become a de facto industry standard and built into most core routers and switches.

    However, NetFlow is known to affect the performance of the devices on which it is enabled, such as routers and switches, which can have a detrimental impact on network performance.

  • Implementing a dedicated monitoring network:
    Using this method, organisations aggregate network traffic to one location via tap-and-span ports or inline proxies and monitor the traffic, which provides a dedicated function for continuous visibility of overall performance.

    The downside, however, is that scaling this method is problematic. Increasing internal bandwidth can quickly overwhelm the aggregator, causing loss of monitoring or dropped packets.

  • Using an internal intrusion detection and prevention system (IDPS):
    IDPS is a network security tool that monitors network and system activities and detects possible intrusions. Many organisations are already doing this and can use decommissioned systems or Linux systems for simple IDPS functions.

    However, signature-based detection can miss threats. Organisations can also have detection gaps when there are not sufficient sensors to provide the required visibility.

Looking for something more efficient? There is a different way.

A more effective method for detecting lateral movement and privilege escalation is achieved by detecting based on techniques vs hashes or signatures. Organisations can achieve this by deploying deception and concealment technologies, which confuses and misdirects attackers as they attempt to move laterally from and endpoint while hiding sensitive or critical assets from exploitation.

Deception and data concealment technologies are an emerging category of cybersecurity, with products that can prevent, detect, analyse, and defend against advanced attacks by hiding and denying access to data. Deception uses intentional misdirections to lead attackers away from production assets. It takes a proactive approach to security by aiming to deceive attackers, control their path, deny them access to essential data, and defeat them.

These tools can identify threats beginning at the endpoint, targeting Active Directory, and throughout the network. Decoys detect suspicious or malicious connection attempts from another internal host. Local deception and concealment functions can identify inbound or outbound connection attempts to non-existent ports and services as suspicious or malicious.

Unfortunately, misperception may be the biggest challenge for this new approach. There remains a limiting association with legacy honeypots, and some believe it is only for organisations with mature security operations. However, by taking time to understand the effectiveness and benefits of a deception and concealment security strategy, organisations can achieve efficient lateral movement detection and be able to answer the challenging question of “How do you know what’s lurking in our network?”.

The recent SolarWinds attack has been a significant wake up call for most organizations, that despite diligence in defenses, even the most trusted security actions like patching cannot be trusted. Consider deception as your eyes inside the network and as a critical control in the security stack for securing application and data trust and detecting lateral movement effectively within your organisation.

Jim Cook
Jim Cook is ANZ Regional Director at Attivo Networks, an award-wining leader in cyber deception and attacker lateral movement threat detection. Cook has more than 20 years’ experience in the IT industry in both Australia and the UK and was previously ANZ Regional Director at Malwarebytes. Prior, he was Country Manager at Fortinet and also worked at Check Point Software Technologies for nine years in several sales positions.