Lateral Movement Security

Security teams often focus significant effort and resources on protecting the perimeter of their IT infrastructure and tightly controlling north-south traffic, or traffic that flows between clients and servers. However, several major transformations in enterprise computing are causing east-west traffic, or server-to-server communication within the data center, to outgrow north-south traffic in both volume and strategic importance.

For example:

  • Traditional on-premises data centers increasingly use horizontal scaling techniques that employ large sets of peer nodes to service the requests of clients, rather than a simple north-south flow.
  • The emergence of big data analytics as an essential competency is also driving substantial growth of east-west traffic, as processing of large data sets distributed across many nodes is generally required.
  • The growing adoption of public cloud infrastructure makes the traditional concept of a network perimeter obsolete, increasing the importance of securing east-west traffic among nodes.

While many organizations remain heavily invested in perimeter security, they are often extremely limited in their ability to detect and prevent lateral movement within their data center and cloud infrastructure.

What is Lateral Movement?

Lateral movement is the set of steps that attackers who have gained a foothold in a trusted environment take to identify the most vulnerable and/or valuable assets, expand their level of access, move to additional trusted assets, and further advance in the direction of high-value targets. Lateral movement typically starts with an infection or credential-based compromise of an initial data center or cloud node. From there, an attacker may employ various discovery techniques to learn more about the networks, nodes, and applications surrounding the compromised resource.

As attackers are learning about the environment, they often make parallel efforts to steal credentials, identify software vulnerabilities, or exploit misconfigurations that may allow them to move successfully to their next target node.

When an attacker executes an effective combination of lateral movement techniques, it can be extremely difficult for IT teams to detect, as these movements often blend in with the growing volume of legitimate east-west traffic. The more they learn about how legitimate traffic flows work, the easier it is for them to attempt to masquerade their attacks as a sanctioned activity. This, combined with many organizations’ insufficient investment in lateral movement security, can cause security breaches to escalate quickly.

Assessing Lateral Movement Security

One fast, simple, and inexpensive step that organizations concerned about lateral movement security can take is to test how vulnerable their environment is to unsanctioned east-west traffic. GuardiCore Labs offers a free, open-source breach and attack simulation tool called Infection Monkey that can be used for this purpose.

Infection Monkey scans the environment, identifies potential points of vulnerability, and attempts predetermined attack scenarios to attempt lateral movement. The output is a security report that identifies the security issues that were discovered and includes actionable remediation recommendations.

Infection Monkey Warns of Danger of Lateral Movement

Visualizing East-West Traffic

Organizations seeking more proactive lateral movement security can begin by visualizing the east-west traffic in their environment. Once a clear baseline of sanctioned east-west traffic is established and viewable on a real-time and historical basis, it becomes much easier to identify unsanctioned lateral movement attempts.

This is one of the flagship capabilities of GuardiCore Centra. Centra uses network and host-based sensors to collect detailed information about assets and flows in data center, cloud, and hybrid environments, combines this information with available labeling information from orchestration tools, and displays a visual representation of east-west traffic in the environment.

Visibility for Lateral Movement

This added visibility alone delivers immediate benefits to organizations seeking a greater understanding of potential lateral movement risks. It also provides the foundation for more sophisticated lateral movement security techniques.

Improving Lateral Movement Security

Once an organization has a clear view of both sanctioned and unsanctioned east-west traffic in its data center and cloud infrastructure, it can use this information to take active steps to stop lateral movement. An optimal approach includes a mix of both proactive and reactive lateral movement security techniques.

Micro-Segmentation Policies

Once an IT team has visualized its east-west traffic, the addition of micro-segmentation policies can significantly reduce attackers’ ability to move laterally. Micro-segmentation applies workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. When strong micro-segmentation policies are implemented, attempts at lateral movement that do not explicitly match sanctioned flows – down to the specific process level – can generate alerts to the security operations team or even be blocked proactively.

Detecting and Responding to Unauthorized East-West Traffic

While micro-segmentation policies significantly improve lateral movement security, it is important to complement policy measures with additional detection and response capabilities. In addition to providing information-risk alerts when policy violations occur, GuardiCore Centra can detect and respond to unauthorized east-west traffic by leveraging deception technology to monitor and investigate suspicious behavior within east-west traffic.

Deception

GuardiCore Centra applies deception technology to analyze all failed attempts at lateral movement and then redirect suspicious behavior to a high-interaction deception engine. The attacker is fed responses that suggest that their attack techniques are successful, but all their tools, techniques and exploits are being recorded and analyzed in a fully isolated environment.

Deception

This helps IT teams learn more about the lateral movement being attempted in the environment and assess how to best improve security policies over time.

A Growing Strategic Priority

While strong perimeter security remains essential, the transition from traditional on-premises infrastructure to hybrid-cloud and multi-cloud architectures is increasing the strategic importance of lateral movement security.

It’s essential for security teams to:

  • Gain ongoing visibility into their organization’s east-west traffic
  • Develop techniques for differentiating between sanctioned and unsanctioned east-west traffic
  • Implement controls like micro-segmentation to tightly govern infrastructure activity
  • Actively monitor for unauthorized lateral movement to both contain breaches quickly and continuously refine policies based on the latest attack techniques.

Organizations that move beyond perimeter-focused thinking and place greater emphasis on lateral movement security will ensure that their security measures remain in step as IT infrastructure becomes more dynamic and heterogeneous.

For more information about Micro-Segmentation, visit our Micro-Segmentation Hub

0 comments

Leave a Comment

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *