<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<i></i> Share on facebook
</div>
</div>
<div>
<div>
<i></i> Share on twitter
</div>
</div>
<div>
<div>
<i></i> Share on linkedin
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>After a few tumultuous weeks filled with ransomware news – from companies such as <a href="https://www.vox.com/recode/22428774/ransomeware-pipeline-colonial-darkside-gas-prices" rel="noreferrer" target="_blank">Colonial Pipeline </a>and <a href="https://www.cnbc.com/2021/06/09/jbs-paid-11-million-in-response-to-ransomware-attack-.html" rel="noreferrer" target="_blank">JBS</a> being hit, to the <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/" rel="noreferrer" target="_blank">U.S. White House releasing a memo </a>in which it has clearly mentioned the power of segmentation against such attacks, it is vividly clear that ransomware is now on everyone’s radar – from the government, to companies trying to protect themselves, to the threat actors themselves trying to find new ways of compromising networks for profit. We in Guardicore agree with the White House memo and believe that <b>segmentation</b> is one of the best weapons a defender has today against ransomware attack.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Unlike EPP/EDR platforms which are dependent on the implementation of detection logic, with a properly configured segmentation policy, a packet either goes on the wire – or it doesn’t, in the most binary way possible. The incidents of the last few months have bolstered our belief in the importance of segmentation and making it accessible and easy to implement for every organization, big and small. In this post, which is a follow up to <a href="https://www.guardicore.com/blog/stopping-ransomware-with-segmentation/" rel="noreferrer" target="_blank">our previous post</a>, we will take a more technical approach, detailing the best steps you can take to improve your segmentation knowledge and approach and to protect against lateral movement in ransomware attacks.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>As discussed in our previous blog post – lateral movement is a critical stage in an attack in which the threat actors are moving in between machines and servers, utilizing various tools and authenticating with different credentials in order to gain a deeper foothold in the victim’s network and to move from computer to computer. Mitigating the risk of lateral movement has long bothered security professionals because of how hard it is to mitigate, and yielded multiple techniques and approaches, but as for reducing the attack surface of your organization, the best method to do that, without a doubt, is segmentation.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>In this post, we will go over different lateral movement techniques used by ransomware operators and demonstrate how Guardicore’s approach to segmentation can significantly reduce, if not completely eliminate, the risk of lateral movement in your organization.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>Tools of the trade</h2> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>In order to propagate in a network, attackers must have a few things:</p><ul><li>Knowledge of the network’s structure.</li><li>Sufficient credentials.</li><li>A way to launch processes remotely.</li><li>A “staging area” from which data will be exfiltrated.</li></ul> </div>
</div>
</div>
<div>
<div>
<div>
<img alt="" height="207" src="https://www.guardicore.com/wp-content/uploads/pasted-image-0-7-1024x265.png" width="800" /> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>Knowledge of the network’s structure</h2> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Once an attacker compromises a machine in a network, they will have to understand what is “within the reach” of the compromised machine, meaning, which other computers are accessible to/from that machine. This can be achieved by using various network scanning techniques and tools, from anything basic such as an nmap TCP scan to more advanced methods such as SMB share scanning and mapping.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Guardicore Centra has methods to detect and alert on such activities:</p><ul><li><b>Scan Tool Detection – </b>Centra knows to identify common network scanning tools (such as nmap) based on the executable itself, and raise corresponding security incidents alerts inside the system.</li><li><b>Scan Behavioral Detection </b>– As network scans are done by connecting to multiple addresses over various (usually unsuccessfully as most are down) over a short period of time, this creates a pattern that is detected by our systems. Indeed, Centra has a special incident type, called Network Scan Incidents that can show exactly that. Moreover, Centra can differentiate between wide network scans and host port scans, based on the amount of ports and machines that participate in the scan.</li></ul> </div>
</div>
</div>
<div>
<div>
<div>
<img alt="" height="406" src="https://www.guardicore.com/wp-content/uploads/pasted-image-0-3-4-1024x520.png" width="800" /> Network scan for incidents
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p><i>In addition, Guardicore’s Threat Hunting service – </i><b><i>Guardicore Hunt</i></b><i>, can also detect those events by analyzing the neighbors of each machine in the network. By continuously monitoring the network, our system can detect anomalies and spikes in the neighboring and connecting machines, which is what happens in network scans.</i></p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<img alt="" height="320" src="https://www.guardicore.com/wp-content/uploads/pasted-image-0-4-4-1024x410.png" width="800" /> Visual network scan for incidents in Guardicore Hunt
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Guardicore can not only help detect such events, but can also help in mitigating and preventing them. To make sure that an attacker cannot scan and move laterally across machines, it is important to adopt a Zero Trust approach by which a computer can and should only be able to connect to servers/computers which are necessary.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>Recommendations</h2> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<ul><li>Segmentation and separation between applications and sections inside the network are the immediate way to reduce the attack surface, especially between workstations.<ul><li>For example, there is no reason that someone from finance will need direct access to a computer of someone from R&D. There are always communication channels that should be allowed (email, Slack, Zoom etc…) but direct computer to computer access should be discouraged and controlled. Exceptions can be made on a case-by-case basis, but not across the board.</li><li>The same can be said for servers and applications even inside the same section (i.e microsegmentation). Not everyone needs to access each and every server, and the access ports and protocols can and should be controlled. This way, you restrict access to only a handful of approved protocols, and they usually won’t be those that are used by attackers to move around.</li><li>To relate this to real life, according to <a href="https://www.varonis.com/blog/darkside-ransomware/" rel="noreferrer" target="_blank">this</a> report by Varonis, Darkside ransomware operators use RDP to move around the network. <b>Segmenting and microsegmenting RDP access to only key users and machines should greatly impair their ability to move around</b>.</li></ul></li><li>Powerful and privileged users (i.e Domain Admins) should be contained and restricted in the usage. An attacker that gets ahold of one can wreak havoc in the network, so restricting those users to operate from dedicated machines should minimize the damage that an attacker can do if they get them.</li><li>Direction should also be considered; While user workstations need to access most servers, the opposite isn’t true. Except IT/Monitoring servers and Domain Controllers, most servers “serve”, and blocking the outgoing route from them shouldn’t hinder network operability while limiting attackers’ playing field.</li><li>Block all unnecessary SMB and RPC connections to and from relevant assets</li><li>Secure network shares as much as possible – make sure that permissions are set correctly between different shares.</li></ul> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Looking at this excerpt from this <a href="https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/" rel="noreferrer" target="_blank">great report by thedfirreport.com</a> we can see that one of the first actions performed by REvil when breaching a network is conducting basic network reconnaissance by using tools that are built in to windows:</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<img alt="" height="277" src="https://www.guardicore.com/wp-content/uploads/pasted-image-0-5-1-1024x354.png" width="800" /> Excerpt from https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Many of these commands, such as <i>net.exe</i><i> and </i><i>wmic</i> will give the attacker the ability to see if there are any security tools (such as an Antivirus) installed or to inspect the various trust relationships between various machines and servers on the work along with what other machines are accessible via SMB through the attacked machine – <b>A proper segmentation policy will prevent an attacker to gain any insights about your network from a very early stage of the attack</b>.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>Sufficient credentials
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>When an attacker wants to move laterally across a network, they must have either a highly privileged user such as a <i>domain administrator</i> or alternatively, a regularly-privileged user with sufficient permissions to the right places.</p><p>Attackers often use credential manipulation tools such as <i>Mimikatz</i> to export and steal credentials, these tools don’t discriminate between authentication methods, be it NTLM, Kerberos, Oauth, etc…</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Nothing hurts lateral movement more than implementing a proper segmentation policy and two-factor authentication where possible. An attacker’s “blast radius” is only as big as the attack surface that you provide them with – minimizing that attack surface with segmentation will have a direct effect on your chances of successfully mitigating serious risk to your network.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p><img alt="⚠" src="https://s.w.org/images/core/emoji/13.0.1/72x72/26a0.png" style="height: 1em;" /> <b>Note: Ransomware attackers such as </b><b>REvil</b><b> are relying heavily on </b><a href="https://attack.mitre.org/techniques/T1003/" rel="noreferrer" target="_blank"><b>dumping credentials</b></a><b> and using them to move laterally across the network. Please make sure to read our recommendations below regarding proper credential hygiene.</b></p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>Recommendations</h2> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<ul><li><ul><li>Implement 2FA where possible – this makes the task of lateral movement significantly harder</li></ul></li></ul><ul><li><b>Make sure that no user on the network has more access than they need to have</b></li></ul><ul><li><b>IT staff should never use their privileged account for day-to-day work:</b></li></ul><ul><li><b>IT staff should have their own regular low privileged users for day-today work and should only use high-privileged accounts when necessary for IT work</b></li></ul><ul><li>User log-on times and work hours can be monitored and enforced. <br />Attackers may try to avoid the risk of interfering with an active user, thus raising flags that something is wrong. Instead, they might bide their time to do some operations when the network is quiet, and reaction times are longer. By monitoring or restricting logon times, it makes it harder for attackers to operate undetected, and increase their friction points with the network. This can be done through configuration or analytically.<ul><li>Windows allows setting logon times for each domain user. It is also possible to logout or lock users outside of their allowed period through the group policy.</li><li>There are services and applications that can monitor logon times for users over time, and alert on users that operate outside the norm. Guardicore Hunt (Guardicore’s Threat Hunting service) includes a method for alerting on such behavior.</li></ul></li></ul> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>
A way to launch processes remotely
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Once an attacker has managed to compromise the victim’s credentials and gain access to multiple machines, it is now time to use this access in order to launch processes, such as a ransomware or a malware payload, on the compromised machines. This can be achieved in multiple ways, the most popular being <i>psexec</i>, various <i>wmi</i> techniques, <i>winrm</i>, etc…</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Some of the tools that are used for these tasks, such as <i>psexec</i>, were actually developed by Microsoft as advanced IT administration tools and are often being misused by attackers for nefarious purposes. These tools are often based on a concept of utilizing one of Windows’ remoting mechanisms (such as the aforementioned protocols) which is why it is often challenging to block these tools and/or protocols.In many organizations the IT staff are leveraging such tools to “keep the lights on” and to administer the machines in the organization.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h4>Recommendations:</h4> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<ul><li>It is important to apply a segmentation policy that only allows a very specific and minimal subset of users and machines to leverage these management applications, thus significantly reducing the chance of an attacker successfully using these tools for their own purpose – <b>see previous section about scanning</b>.</li><li>Monitor the machine for processes that are running under a different user than the one who is already logged in, or additionally, processes that are running under a user with administrative privileges</li></ul> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>A “staging area” from which data will be exfiltrated</h2> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>In some cases, once attackers find the files they are after, they will have one central place where they would copy said files prior to their exfiltration – this could be a specific directory on one of the compromised machines. This usually happens since attackers might be moving laterally from machine to machine and need to have all the files in one place before exfiltrating them. There are many ways to exfiltrate files:</p><ul><li>Files could be exfiltrated manually, one by one, simply by copying them and pasting them outside an RDP session (if the attackers are indeed using RDP).</li><li>Files could be uploaded to a cloud hosting provider such as dropbox/Google drive/Mega.</li><li>Files could be uploaded to an attacker controlled FTP site.</li></ul> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>However, it is important to remember that this isn’t always the case and attackers could exfiltrate the files individually and not from one central place – this depends on the attacker’s approach and tools.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p><b>Note:</b> In many cases, attackers are adding an additional step before exfiltrating the files which is compression. In case the attackers wish to exfiltrate a large amount of files outside of the organization, they will put all the files in one directory and compress them in order to reduce the amount of files being exfiltrated to one signal archive and also in order to keep the size of the exfiltrated data low due to the file compression.</p> </div>
</div>
</div>
<div>
<div>
<h4>Recommendations:</h4> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<ul><li>Prevent machines from connecting to file-sharing websites/services unless necessary.</li><li>Unless it is necessary, prevent the installation and communication of file-sharing services clients (such as the Google Drive/Dropbox file sync agent) from contacting their servers.</li><li>Disable Admin$ and C$ file shares.</li></ul> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Properly segmenting SMB and disabling the aforementioned shares is a critical step since attackers, such as <b>REvil </b>are often using these shares to transfer tools and malware in-between machines, as can be seen from this excerpt from the <a href="https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/" rel="noreferrer" target="_blank">same report from thedfirreport.com</a></p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<img alt="" height="564" src="https://www.guardicore.com/wp-content/uploads/pasted-image-0-6-1.png" width="796" /> Excerpt from https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>Note the use of the ADMIN$ SMB shares, these are hidden network shares that are only accessible with the proper administrative credentials. <a href="https://attack.mitre.org/techniques/T1021/002/" rel="noreferrer" target="_blank">You can read more about these shares on Mitre’s ATTACK framework website</a>.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>Reducing the Attack Surface</h2> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>All of the activities that we described above, that are used by attackers in their journey to compromise the network, can be considerably mitigated and prevented, and their damage scope reduced, by using segmentation and enforcing user activity. Below, we list our general recommendations for such mitigation measures:</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h3>Segmentation</h3> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<ul><li>Create segmentation and separation between different applications and sections inside the network, especially between workstations.<ul><li>For example, there is no reason that someone from finance will need direct access to a computer belonging to someone in R&D. There are always communication channels that should be allowed (email, Slack, Zoom etc…) but direct computer-to-computer access should be discouraged and controlled. Exceptions can be made on a case-by-case basis, but not across the board.</li><li>The same can be said for servers and applications even inside the same section (i.e microsegmentation). Not everyone needs to access each and every server, and the access ports and protocols can and should be controlled. This way, you restrict access to only a handful of approved protocols, and they usually won’t be those that are used by attackers to move around.</li></ul></li><li>Direction should also be considered; While user workstations need to access most servers, the opposite isn’t true. Except IT/Monitoring servers and Domain Controllers, most servers “serve”, and blocking the outgoing route from them shouldn’t hinder network operability while limiting attackers’ playing field.</li><li>Use Zero Trust principles when building the network policy<ul><li>Make sure that no user on the network has more access than they need to have, whether to different servers (identity-based segmentation) or resource (identity-based acls)</li></ul></li><li>Remote management protocols and applications should only be allowed from a very specific and minimal subset of users and machines, thus limiting who can leverage these management applications, and significantly reducing the chance an attacker can successfully use these tools for their own purpose.</li><li>Prevent machines from connecting to file sharing websites/services unless necessary, so attackers will have a harder time transfering files through them.</li></ul> </div>
</div>
</div>
<div>
<div>
<h3>User Activity Monitoring</h3> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p>As we mentioned earlier, the aspect of highly privileged users </p><ul><li>Powerful and privileged users (i.e Domain Admins) should be contained and restricted in the usage. An attacker that gets ahold of one can wreak havoc in the network, so restricting those users to operate from dedicated machines should minimize the damage that an attacker can do if they get them.<ul><li>To that effect, IT staff should never use their privileged account for day-to-day work – they should have their own regular low privileged users for day-today work and should only use high-privileged accounts when necessary for IT work</li></ul></li><li>User log-on times and work hours can be monitored and enforced. <br />Attackers may try to avoid the risk of interfering with an active user, thus raising flags that something is wrong. Instead, they might bide their time to do some operations when the network is quiet, and reaction times are longer. By monitoring or restricting log-on times, it makes it harder for attackers to operate undetected, and increase their friction points with the network. This can be done through configuration or analytically.<ul><li>Windows allows setting logon times for each domain user. It is also possible to logout or lock users outside of their allowed period through the group policy.</li><li>There are services and applications that can monitor logon times for users over time, and alert on users that operate outside the norm. Guardicore Hunt (Guardicore’s Threat Hunting service) includes a method for alerting on such behavior.</li></ul></li><li>To try and detect lateral movement and compromised users, monitor machines for processes that are running under a different user than the one who is already logged in, or additionally, processes that are running under a user with administrative privileges when they shouldn’t.</li></ul> </div>
</div>
</div>
<div>
<div>
<h3>Administration</h3> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<ul><li>Disable the default network shares (Admin$, C$ etc..) through Windows’ Registry or Group Policy, instead (or in addition ) of trying to segment all SMB traffic in the network.</li><li>Prevent the installation and communication of file sharing services clients (such as the google drive/dropbox file sync agent) from contacting their servers.</li><li>Implementing 2FA where possible.</li></ul> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
Article Link: Lowering and Mitigating Lateral Movement Risk for Ransomware - Guardicore