The Techniques Attackers Use and Best Practices for Defending Your Organization
An attacker who gets into your network is seldom content with their initial foothold. To achieve their ultimate objective, whether that’s stealing sensitive information or planting malware, they need to leverage the account they have compromised to move laterally through your environment and escalate their privileges until they gain access to more data or resources.
In other words, the account or system that an attacker initially compromises is just a jumping-off point for them to spread out. The lifecycle of an attack can be weeks, months or even years as the attacker moves throughout the environment and establishes their presence. To defend your organization, it’s critical to understand the techniques involved.
Lateral movement is when an attacker leverages their current access rights to navigate around your environment. Privilege escalation is gaining increased access permissions. Attackers combine these two tactics to achieve their ultimate goal of stealing data or doing other damage to your organization.
Typically, when an attacker enters your environment, they begin to do reconnaissance in order to understand what resources they have access to and what accounts they may be able to compromise next. As they discover avenues to escalate their privileges, they gain access to even more data and resources. By repeating this cycle, they strive to eventually gain access to your most valuable data or systems.
Here are three of the most common techniques that attackers use to move laterally and escalate their privileges:
One of the most notable breaches in recent history is the Marriot data breach from 2018. While the complete details were never publicly revealed, Mimikatz was found on their system. Mimikatz is a popular tool for harvesting credentials using pass-the-hash attacks, so it’s reasonable to assume that once the attacker gained a foothold in the environment, they leveraged Mimikatz to continue their attack and move laterally and escalate their privileges with the credentials they were able to gather with the tool.
This is just one example of an attacker moving laterally and escalating their privileges to reach their goal; you can easily find many others in the news.
How can you combat these tactics attackers use to compromise your environment? Here are three of the top strategies to implement:
More often than not, attackers gain access to the IT environment through some type of social engineering, in which they manipulate a legitimate user into providing their credential. To reduce your risk, regularly train your employees about how to detect and report social engineering attacks. Also, invest in tools like spam filtering to keep phishing messages from reaching your users in the first place.
Attackers often get into your environment and escalate their permissions through weak passwords or credentials they steal using techniques like password spraying attacks. Training users on good password hygiene and best practices and enforcing your policies is important to keeping credentials secure. In addition, look for tools that can enforce more secure password policies than native Active Directory, identify weak or compromised passwords and enable you to implement controls like multi-factor authentication (MFA).
One of the key ways attackers attain their ultimate goals is by compromising admin or service accounts, which give them far more access across the environment than user accounts. Implementing a good privileged access management (PAM) strategy is essential to protecting these powerful accounts from being compromised and monitoring how they are being used. PAM tools today come in all shapes and sizes, but keep in mind that you don’t have to settle for one that simply provides a vault for privileged accounts. A more modern approach is to eliminate standing privileged accounts altogether and instead grant admins the elevated rights they need for only as long as they need them to complete a particular task; this significantly reduces risk by reducing your attack surface area.
Finally, it’s essential to apply updates and patches as they become available. Keeping all your devices and applications up to date is critical to ensuring an attacker isn’t able to exploit a known vulnerability to gain a foothold in your environment, move laterally or escalate their privileges.
Kevin Joyce is a Senior Technical Product Manager at Stealthbits – now part of Netwrix. He is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.