At the worst possible time, ransomware is a greater threat than ever, grinding IT operations back to pen and paper and taking down businesses when we can least afford it. In the midst of a pandemic, we’ve seen the continued rise of healthcare ransomware. Those of us with kids learning remotely have ransomware as the new snow day.
Why are there still so many successful ransomware attacks?
What is Lateral Movement?
Lateral movement is when an intruder or attack breaches your perimeter, then moves laterally across an environment to other machines, resulting in a much larger and more expensive data breach. This could start on an endpoint or even a compromised data center workload, taking down tens of thousands of end user computers, or even strategically targeting your most valuable crown jewel data center assets.
MITRE’s ATT&CK Framework puts it plainly: “the adversary is trying to move through your environment.” This means that not only must we focus on stopping threats from gaining a foothold but also stopping this attacker lateral movement. This is now so fundamental to a defender’s job, that the MITRE ATT&CK notes lateral movement as a key attacker technique to defend against.
Why is malware so successful at propagating using lateral movement between endpoints? To understand why this happens, first we have to examine how traditional application security works in protecting the data center – but not always the endpoint.
Lateral Movement in the Data Center
Data center security focuses on client-server communications from endpoints to the server. In most of today’s browser-based business applications, when a user enters the application’s URL in their browser window, the browser opens a connection to a web server running in a data center or a public cloud. End-user machines communicate with these front-end servers through standard ports like 80 and 443. Web servers behind the corporate perimeter are secured by firewalls, IPS, detection and response, and other data center security technologies. Front-end servers are connected to business logic, database, and other types of servers, all within the confines of the data center or cloud environment.
This is where lateral movement can do its damage. If an external facing server or workload is compromised via a vulnerability, an attacker can move laterally from the compromised workload to where valuable data resides, like on database servers. In a flat network without micro-segmentation, this is not at all difficult.
With effective segmentation in place, all these “internal” servers are protected from outside threats. Micro-segmentation prevents attackers or threats from spreading or moving laterally, or “east-west,” in data centers, clouds, or campus networks. A threat will be contained to the network segment or host segment that has been put in place, so attackers cannot move to other parts of an environment. This better protects organizations from breaches by limiting their size and impact.
Lateral Movement from Endpoint to Endpoint
Why isn’t this enough to stop ransomware? The answer is that ransomware doesn’t need to communicate with the server in order to propagate. It can spread from endpoint-to-endpoint to tens of thousands of machines in seconds.
Ransomware typically initiates from the endpoint and spreads directly to other endpoints via RDP, SMB, SIP, Skype, etc. Peer-to-peer (P2P) applications between endpoints create this lateral movement, or east-west connection, which does not involve communication between endpoints and servers. While most modern enterprise applications rely solely on outbound connections - endpoint initiating connections to server – P2P technologies leverage inbound connections from neighboring endpoints. These endpoints communicate without hairpinning traffic through a server or data center – meaning they rely on security that exists on the endpoint itself.
Preventing Lateral Movement Between Endpoints
What are the challenges in securing lateral movement between endpoints?
Visibility - lateral connections between endpoints on the same subnet, for example, will be invisible to firewalls and gateways, making these security devices totally ineffective in detecting and preventing the associated threats. This also means a total lack of visibility into what’s happening at home for employees working remotely.
What about endpoint security? While it can detect and respond, EDR and EPP tools running on the endpoint are reactive to threats. In other words, it works only after a breach happens, rather than preventing its spread from the start.
Zero Trust for the Endpoint
Best practice for preventing the spread of breaches is to adopt a Zero Trust security policy. This means mandatory allow-listing of approved services to run between endpoints, with permissions granted only in order to access for a legitimate business purpose.
If you’ve ever tried to download and install a P2P app, like Skype, off the internet on your laptop at a new job and gotten a nastygram from IT, you understand how this works. Users must only be accessing company-approved resources, for the protection of everyone.
As security threats evolve and state-sponsored hackers become more and more sophisticated, security solutions must keep up in order to remain relevant. Zero Trust solutions can protect multiple systems proactively, offering security coverage based on first-principals and a low false positive rate. Software tools like Illumio Edge lead the way in scalable host-based firewall management and offer unprecedented security protections and defense against malicious lateral movement.