Trying to Prevent Lateral Movement on a Budget?
They say the best things in life are free. And whether you believe it or not, it’s got to be true at least every once in a while, right? Well, when it comes to securing your credentials and data, there are in fact a number of things you can do that are not only highly effective, but cost conscious.
Not to oversimplify some otherwise complex concepts and subjects, there are three things pretty much every attacker relies upon being true in order to move laterally throughout an organization’s network on their way to total domain dominance. They are:
- Local Admin rights
- Improperly configured systems
- A poorly understood Active Directory
Now, expecting to prevent Lateral Movement completely isn’t exactly realistic due to the ultra-sophisticated ways attackers are able to circumvent even the best defenses, so the goal should really be to make it as difficult as possible for an attacker to achieve their goal. This means making sure these basics are covered.
Lateral Movement and Local Admin Rights
Local Admin rights are pretty much the most important ingredient in a standard lateral movement situation. Without privileged access to the system, it’s significantly more difficult – if not impossible – for an attacker to install and run useful software containing powerful tools like Mimikatz that will allow them to exploit critical misconfigurations (which we’ll discuss some of next) that they’ll also need Local Admin rights to get to.
Limiting this level of access to the lowest levels possible through proactive evaluation of Local Admin rights on every system and leveraging built-in solutions like Microsoft’s Local Administrator Password Solution (LAPS) can have drastic impact in the fight against lateral movement techniques.
How Simple Misconfigurations Make Lateral Movement Easy
There are thousands of possible configuration settings on a Windows system, but a relatively small handful of them are particularly significant as it pertains to the topic of lateral movement. Two such configurations are LSA Protection and WDigest.
Again, assuming an attacker has the Local Admin rights needed to either exploit misconfigurations of these settings or change them to be exploitable, improper configuration of LSA Protection and/or WDigest will allow an attacker to steal the passwords of other accounts that have been used on a system by reading system memory through code injection into the Local Security Authority (LSA).
Ensuring LSA Protection is enabled and disabling WDigest passwords from being stored in memory is about as simple as the flick of a switch, as both are controlled via the system’s Registry.
Plaintext Passwords in SYSVOL? Lateral Movement Coming Up!
The last tactic we’re going to discuss here is perhaps the simplest an attacker can employ, but also one of the easiest to spot and fix (if you know to look for it). Here’s how it works:
Group Policy Objects (GPOs) can be used to create accounts and set passwords on computers within an Active Directory domain. Attackers can target these GPOs to obtain and decrypt these passwords (because Microsoft published the AES private key on MSDN) without any elevated rights. Why? Any authenticated account has read access to a Domain Controller’s SYSVOL share – where Group Policy Preferences are stored. Because Group Policy Preferences are often used to set and control the Local Administrator password across systems en masse, compromising an account contained in Group Policy Preferences can provide an attacker high-privilege, far-reaching access across an enterprise.
So, because any malicious insider or attacker can search for the cPassword field inside XML files shared through SYSVOL to decrypt them, you can too! Find them before they do, and you’ll be that much safer from critical credential compromise.
What Should I Do Now?
As I mentioned earlier in the post, Lateral Movement and the plethora of ways it’s made possible is a complex subject. Education on these attack vectors, prioritization of risk, and bandwidth constraints will ultimately dictate what you do next or about this or any subject. But, to make it just a little easier on you, we’re happy to lend a helping hand.
If you want to see whether or not you’re facing these risks and to what extent, our free Credential and Data Security Assessment will do just that.
Alternatively, we’d be happy to do it for you and produce a polished, informative Executive Summary for you to deliver your organization’s leadership team to articulate your risk and some highly effective measures that can be taken to reduce that risk. Contact Us today and we’ll get the ball rolling quickly.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
As General Manager, Adam is responsible for product lifecycle and market adoption from concept to implementation through to customer success. He is passionate about market strategies, and developing long-term path for success for our customers and partners.
Previously, Adam served as CMO and has held a variety of senior leadership positions at Stealthbits – now part of Netwrix including Sales, Marketing, Product Management, and Operational Management roles where his focus has consistently been setting product strategy, defining roadmap, driving strategic engagements and product evangelism.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.
Related Posts
- Sensitive Data Discovery for Compliance
- Using The Azure Information Protection (AIP) Scanner to Discover Sensitive Data
- Advanced Data Security Features for Azure SQL- Part 1: Data Discovery & Classification
- How to Protect Office 365 by Classifying Your Data with Microsoft’s AIP Labels
- 2019 Verizon DBIR Key Findings
- 5 Cybersecurity Trends for 2019
- EU GDPR: Paving the Way for New Privacy Laws?
- Announcing Stealthbits Activity Monitor 3.0 & StealthINTERCEPT 5.1
- Key Take Aways from the Ponemon 2018 Cost of Insider Threats Report
- Where Real Organizations Are with EU GDPR 10 Days from Launch
Leave a Reply