Keeping up with the latest attack patterns from malware groups has always been a top security priority. But while it is essential to understand how cyber criminals gain initial access, it has become increasingly important to focus on what happens after this - understanding how they move from one machine to another.
We asked Yaron Kassner, co-founder and CTO of Silverfort, how ransomware attackers use lateral movement to attack an organisation and what can be done to ensure cyber resilience.
Tell me about Silverfort, your role and your responsibilities there
I am the Co-Founder and CTO of Silverfort. It’s my role to ensure our platform stays relevant as the risk and technical landscape continues to shift. With organisations seeking to take advantage of emerging cloud-based approaches to identity – and attackers looking to subvert and exploit these – this is easier said than done.
The Silverfort platform extends the security controls provided by cloud-based identity providers to assets that couldn’t be protected before. This helps organisations unify their security controls like Multi Factor Authentication, identity threat detection, and risk-based authentication, and apply them across their entire environment. This is important because, while increasingly advanced security controls become available, applying them in the enterprise environment remains a challenge.
How do you enable organisations to prevent data breaches?
A basic tool in the attacker’s toolkit is credential theft, and these credentials are used in the authentication process – so a key tool to detect and prevent data breaches is the visibility and control of authentication. Silverfort monitors all authentication activity in the environment and analyses this to detect identity threats. Additionally, we provide a proactive layer of security which requires MFA for sensitive or suspicious activity on important resources, and prevents malicious access by service accounts. Our platform repeatedly proves that these controls are highly effective in preventing data breaches as attackers struggle to access their targets when they’re protected with MFA and service account fencing.
Do you think real-time visibility is important to stopping cyber attacks?
Real time visibility is very important in stopping cyber-attacks. Since cyber-attacks are becoming increasingly fast, you need to detect them very fast to stop them. An alternative approach is to apply the strictest security controls everywhere, but while this approach is secure, it burdens users and complicates their work. Visibility allows you to see where the threats and vulnerabilities are and focus the prevention and response efforts there.
What are lateral movement attacks, and what impact can they have?
Lateral movement is the ability for an attacker to move across an environment from one computer to another.
The attacker first needs to achieve an initial foothold in the environment and that can be done with a variety of techniques, such as exploiting a vulnerability in an external facing service or stealing a password used for network access. However, more often than not, this is not where the attackers want to end up. The real targets for attackers are high-value servers, applications and other infrastructure, or even an entire corporate environment.
To get to these an attacker will have to move between machines and escalate their level of privileges so they can run processes when they finally access their target. To do this, they abuse the identity infrastructure to search and connect to other machines. Once they find these, they either ‘dump credentials’ to steal logins and passwords with greater access, or they exploit weaknesses in identity infrastructure itself to forge tickets with greater privileges.
Ultimately, the attackers will reach their target, at which point they can move to the final stage of their attack and drop ransomware, poison the supply chain, exfiltrate data and more.
How can any organisation strengthen their cyber resiliency against lateral movement attacks?
Lateral movement used to be the preserve of highly resourced attack groups but, as with anything in cybersecurity, has become commoditized. First, organisations need to realise this and build lateral movement prevention into wider risk reduction strategies.
Next, they need visibility of such attacks. Until now, this has been a challenging task because spotting malicious access requests has been difficult. However, it is now possible to apply risk-based analysis to identity data to spot the anomalies which are a marker of threat actors. This ultimately means understanding what constitutes a ‘normal’ baseline for identity, and then monitoring for things like abnormal volumes and types of requests.
Most importantly, they can apply proactive rules and policies to act as gatekeepers around sensitive resources. This can come in the form of an MFA request designed to ensure that only the right person is allowed to access the asset in question.
What is next for Silverfort?
As the volume of identity attacks increases and the complexity of technology continues to fragment, we expect a growing market.
The security world is waking up to the exposure from identity. It has become a central path for attackers looking to move around internally, and also the very means by which they gain access to critical infrastructure. Our belief is that by closing down this attack surface, we can not only stop lateral movement but also stop threat actors delivering the final blow in their attacks.
As the use of hybrid cloud environments increases, we will see greater need for our solutions because this also increases complexity. Fragmentation leads to silos and blackspots which provide an opportunity for attackers to hide. Identity security is not a new problem, but it is a growing one. Many of the tactics and techniques used force a much-needed evolution of identity security – and we see it as our role to help companies change for the better.