Cyber-attacks that involve lateral movement and privilege escalation can take months or even years to unfold, and it can take just as long for security teams to find out about them, by which time, a significant amount of damage may have already been caused. It’s important that we understand exactly what lateral movement and privilege escalation are so that we can better defend against them.
What is Lateral Movement and Privilege Escalation?
In simple terms, lateral movement is the process by which an attacker gains access to a network, then, using various tools and techniques, elevates their privileges in order to achieve their objectives (whatever they might be), in a process known as privilege escalation.
The attacker will typically try to obtain a legitimate set of credentials via some type of social engineering technique. Once they have successfully compromised a user account, they will use their existing privileges to scope out the network, harvesting as much information as possible about the software, processes, and security technologies that are used, in the hope of finding vulnerabilities.
Types of Privilege Escalation Attacks
There are two main types of privilege escalation that attackers can use, namely, Horizontal and Vertical privilege escalation.
Horizontal privilege escalation is where the attacker compromises a user account, and then attempts to elevate the privileges of that account. Such an attack involves a deep understanding of the network’s vulnerabilities, and the use of various exploit kits, such as Mimikatz and Metasploit.
Vertical privilege escalation is slightly easier, as it involves identifying and gaining access to other user accounts on the network with more privileges.
What Specific Techniques Do Attackers Use?
There are several techniques that adversaries use to move laterally and escalate their privileges on Windows systems, which are as follows:
Network reconnaissance: This involves probing the network for vulnerabilities, identifying all users, groups, and computers, and making a decision about the best plan of attack.
Pass-the-Hash (PtH): A pass-the-hash attack is where the attacker steals a hashed password, often by scraping a system’s active memory or some other technique, and then uses the hashed password to trick an authentication system into believing that the attacker’s endpoint is a legitimate user. In order to carry out a pass-the-hash attack, the attacker will need to be able to run malware using an account that has local admin rights.
Kerberoasting: This involves exploiting the Kerberos authentication protocol to extract service account credential hashes from Active Directory users. Service accounts typically have greater privileges than regular user accounts, hence why attackers are so keen to gain access to them.
Windows sticky keys: Sticky keys are Windows accessibility features, which can also be used by attackers to gain administrative privileges on a device, even without a legitimate set of credentials.
Internal system commands: If the attacker has already compromised a user account with local administrator rights, they can use the psexec command to escalate the permissions on that account to the system level.
Process Injection: Attackers sometimes use a tool called “Process Injector” to identify all active processes, the accounts running those processes, and their respective privileges. Using Process Injector, attackers can exploit vulnerable processes and potentially gain access to an account with greater privileges.
How to Defend against Lateral Movement and Privilege Escalation
Establish a strong defense against social engineering attacks
These days, most cyberattacks are initiated via social engineering attacks, such as phishing, smishing and pretexting. Attackers will try to trick unsuspecting victims into handing over credentials or other types of information that they can use to get their foot in the door. As a starting point, the most effective defence against social engineering attacks it to regularly train your employees to be vigilant in identifying and reporting suspicious emails, texts, and phone calls. Likewise, it would be wise to invest in the best anti-malware/spam filtering technologies on the market.
Have a strong password policy
Attackers will often try to use “password spraying” to gain access to your network, which involves attempting to login to multiple accounts using predictable passwords such as “password123”. While such brute-force attacks are not as effective as they once were, as long as there is just one employee with a weak password, such techniques can still be lucrative. Make sure that you enforce the use of strong and complex passwords. Long passphrases are generally considered to be better than short complex passwords, as they are easier for employees to remember, yet still complex enough to prevent attackers from guessing them. It’s also a good idea to periodically rotate passwords to help protect against advance persistent threats (ATPs). If you want to be extra secure, consider using multi-factor authentication (MFA) which requires an additional verification method, such as a passcode sent to your mobile device or perhaps some form of biometric data, such as a fingerprint scan.
Enforce “least privilege” access
Users should only be granted access to the systems and data they need to carry out their role, which will limit the amount of damage an attacker can do were they to gain unauthorized access to your network. You will need to establish a formalized process for granting/revoking access to sensitive data, as and when necessary.
Monitor privileged accounts
You must ensure that you monitor access to privileged accounts and keep a close eye on all actions performed by privileged users. Any time-sensitive data is accessed, shared, moved, modified, or deleted, you need to know about it. You must ensure that you maintain an immutable record of all events, which can be easily searched and sorted. Use a sophisticated real-time auditing solution that uses machine learning techniques to identify anomalous behavior. For example, you need to know when a user accesses a file containing sensitive data for the first time, copies files to a USB drive, or accesses their account out of office hours. Your solution should be able to detect and respond to events that match a pre-defined threshold condition, which can help to identify multiple failed logon attempts, bulk file encryption, and other similar events. In some cases, attackers try to gain access to inactive user accounts, as doing so gives them a better chance of scoping out your network without arousing too much suspicion. As such, you will need a solution that is able to automatically detect and manage inactive user accounts.
Ensure that all systems have the latest patches installed
Attackers are always on the lookout for security vulnerabilities to exploit, even before they gain access to your network. Consider using an automated patch management solution to ensure that all patches and updates are installed on all endpoints as soon as they become available.
If you’d like to see how the Lepide Data Security Platform can help you detect and prevent lateral movement and privilege escalation, schedule a demo with one of our engineers or start your free trial today.