After the Jump: Lateral Moves within Networks

Corporate networks can be sprawling affairs comprising thousands of connected devices. Securing such networks is too often focused only on locking down access points into the network. But what happens once a user (or intruder) gains access to one of those network entry points? With an ever-evolving cyber threat environment and a constant barrage of new tools deployed by hackers in their attempts to gain network access, the assumption of every smart cybersecurity team should be that their external defenses will be penetrated.

Such an assumption will lead security teams to more closely analyze what security features are in place within the network, not just around its perimeter. Otherwise, what is preventing hackers from moving from resource to resource once they get inside a network? Once they’ve stolen credentials or hacked their way in through one door, what stops them from jumping from this server to the next to get at your most sensitive assets? That kind of internal movement across a network – commonly referred to as lateral moves – can lead to system-wide exposure and devastating access to critical resources which are not properly protected. The 2014 data breach of retailer Target still serves as an illustrative example and cautionary tale of what can happen when lateral moves are easily made.

The Target Breach in Review

The initial entry into Target’s network was accomplished through the theft of credentials from Target’s HVAC vendor. With these credentials, the hackers were then able to enter directly into a vendor subsystem of Target’s network – proof positive that security teams should always assume, in the first instance, that hackers will almost always find a way into a network in which they’re interested. But what were the HVAC guys doing with privileged access to the whole network in the first place? All they needed was access to the air system.

Of course, vendors do not have access to Target’s internal SQL Server databases – and thus, the hackers began their series of lateral moves that ultimately led to them being able to install malware on Target’s point-of-sale (POS) systems.

The hackers first installed a script on the vendor subsystem that allowed them to execute arbitrary operating system commands, which in turn allowed them to query Active Directory to learn the names of SQL Servers that might hold valuable data – and then allowed them to get the IP addresses of those same servers via Target’s DNS server. After running another attack that allowed them to impersonate a domain admin, and thus to create their own domain admin account, the hackers then scanned the network for vulnerable machines.

Lateral Movement: From Point to Point to Point-of-Sale

Once they got their hands on the HVAC contractors’ access, the lateral moves began. The hackers jumped from machine to machine using their stolen admin credentials, arriving ultimately at SQL Server databases from which they were able to query the personal information of roughly 70 million Target customers. The information that was stolen, however, did not contain credit card numbers. For that, more lateral moves to the POS machines were required – and after finding the machines, the hackers were able to install malware that gathered credit card info and ultimately delivered it via FTP to the hackers.

The breach was quickly discovered once fraudulent purchases using the stolen credit cards began – but not before inflicting damage that cost Target hundreds of millions of dollars. In fairness to Target, the damage would have been much worse had they not been in compliance with PCI-DSS standards by not storing credit card numbers in their databases – but could more have been done?

What Might Have Been

The short answer is yes. The longer, more detailed answer is that there are a number of simple security measures that could have been implemented that would have prevented each of the phases of the hackers’ attack. Upfront, requiring multi-factor authentication for vendors using privileged credentials might have kept the hackers from ever accessing the Target network even though the credentials had been stolen. Verifying that a privileged user is who they say they are when logging in is a crucial missed opportunity. As we have seen, though, once inside the network the hackers were able to run amok – and that’s where a strategy of defense in depth, created through a strong privileged access management (PAM) scheme, could have been of great utility.

By design, a strong PAM solution is designed to mitigate or even prevent the sequence of exploits and lateral moves that the hackers were able to pull off. There are several key features that a strong PAM solution must have to make this possible:

  • Privileged access should be granted to sensitive resources based on the Least Privilege principle. That is, a user only has access to the minimum resources necessary, and for the minimum time frame, in order to do his or her job effectively. No more, no less.
  • Access privileges should be defined not only by user credentials and roles but also by circumstances. That is, even super admins should only be allowed access to sensitive resources within logical work hours or from approved locations.
  • To help prevent lateral moves, sensitive resources within a network should not even be visible to those without access privileges, to avoid temptation and exploration.
  • All sessions should be monitored and recorded, and the PAM solution should have automated functionality to terminate any session wherein suspicious activity occurs.
  • Further, the PAM solution should have real-time alerting capabilities to trigger security team involvement whenever suspicious activity is taking place. In the Target attack, for example, the session activity where the hackers were querying Active Directory using wildcard search strings should have been immediately flagged, alerting the real admins to what was taking place.

The importance of a PAM solution having strong session monitoring capabilities cannot be overstated. Without it, hackers that can successfully give themselves privileged access credentials are free to access sensitive resources without any further obstacles to their progress as they move across your network. Indeed, as Target experienced, all of the unauthorized privileged access and lateral movement within the network was not noticed in any substantive way until the payment card companies brought the situation to light.

Could a proper PAM solution have stopped the Target hackers dead in their tracks? We can never know for certain, but it seems likely that it would have. And the price for not knowing, for Target and for the many other companies who have suffered damage via lateral-move exploits, is high. Given that hackers may ultimately find their way into most systems, securing the perimeter is not enough. Locking down the inside of a system to prevent lateral moves is both security- and cost-effective – and a strong PAM solution goes a long way to achieving such robust network security.