Plugging Network Segmentation Gaps with Lateral Movement Technologies

A zero-trust implementation technique, network segmentation compartmentalizes a network into distinct sub-networks to prevent lateral movement. Through targeted configuration designed to ensure the least privileged access to each sub-network, it aims at preempting unauthorized traffic from accessing privileged segments.

Zero trust architecture and network segmentation approaches are now widely adopted and stop obviously bad traffic. That is good. The flip side is that cyber-attackers now assume that you have implemented zero trust principles, which has led to a significant increase in living-of-the-land attacks where attackers are using stolen credentials or compromised admission protocols to move undetected through legitimate pathways.

“Lateral security is the new battleground.”

– Tom Gillis, Senior Vice President and General Manager at VMware, RSA Conference 2022

For example, a cyber attacker could use a compromised RDP (Remote Desk Protocol) protocol, customarily used by admins to update servers, to stealthily penetrate the server and use it as a propagation base. As updating the servers is a critical IT function, blocking RDP communication is not an option, and avoiding abuse of that connection requires filtering out malicious traffic, which requires teaching SIEM to differentiate between legitimate and illegitimate traffic.

Even with the inclusion of AI capabilities in modern SIEM to correlate specific behavior with what actually constitutes a security incident, SIEM suffers from structural limitations:

• Not all data has equal value: SIEM’s ability to detect suspicious activity relies on sample data, so it is only as good as the data you feed it
• More data might lead to less information: TrendMicro reports that an organization has an average of 29 monitoring tools (46 for organizations with over 10k employees), which leads to an overblown influx of data that cannot be adequately processed and generate confusion.
• The car alarm problem: Car alarms have very high false positive alerts, and the result is that people’s reaction when hearing a car alarm is typically to ignore it. Similarly, an untuned SIEM generates a high percentage of false positives, which results in alert fatigue.
• A SIEM can only detect what it knows to detect: This falls under either the ‘known unknown’ or the ‘unknown unknown’ categories of threat underlying the need for network segmentation with comprehensive policy enforcement. A SIEM cannot detect any emerging threat, unknown vulnerability, or unlisted potential use of a misconfiguration.

Using lateral movement technologies can significantly improve overcoming these limitations with the minimal additional workload for the SIEM operators.

What Are Lateral Movement Technologies?

Lateral movement technologies are emulating attacks with inactive payloads across all or parts of your infrastructure to isolate the security gaps exploitable within your infrastructure.

Assuming breach is an accelerating factor in using lateral movement technologies, as it saves the resources required to run full-blown outside-in simulated attacks.

By simulating an adversary who already gained an initial foothold achieved through phishing or by exploiting the attack surface, a lateral movement strategy is to propagate from that single point within the network and attempt to perform actions on objectives, from disrupting operations to exfiltrating crown jewels.

Cymulate Lateral Movement technology, named Hopper as a tribute to its ability to hop from one security gap to the next to propagate across your network, effectively provides internal attack path mapping, identifying critical in-context security gaps.

How Do They Improve SIEM Performance?

Even SIEM with advanced UEBA (User and Entity Behavior Analytics) capabilities rely on guesstimates based on divergence from known appropriate behavior. They fail to identify an attacker mimicking legitimate behavior after illicitly acquiring tokens or otherwise abusing protocols.

On the contrary, lateral movement technologies proactively identify the potential routes an attacker may take.

There are two main ways to use the information yielded to enhance SIEM performance:

• Training SIEM – Adding the identified successful attack paths to the SIEM contributes known unknowns to its database, and tuning the alert severity levels to the highest degree for matching behaviors focuses the analyst’s attention on actual attack attempts. Even during the unavoidable time gap between security gap identification and their remediation, the SIEM effectiveness is considerably improved.
• Continuous validation – As lateral movement technologies are automated, they can be run as often as required for no extra cost. This means that not only is it easy to validate that remediation efforts have been effective, but it also enables instant verification that new deployments are not opening new attack routes.

In addition, the data collected through lateral movement emulated attacks can be used to prioritize remediation efforts. With endemic patching backlogs – Jeeta Patel, Executive VP of Cisco, said at the 2022 RSAC that “on average, only 20% of known vulnerabilities are patched.” – zeroing on the vulnerabilities, misconfigurations, and other security gaps actually usable and used in context maximizes the impact of remediation efforts on the security posture overall health.

How Hard Is it to Implement Lateral Movement Technologies?

The answer to that question is entirely vendor-dependent.

Cymulate lateral movement module, Hopper, can be installed and run in minutes. It only requires adding a light agent. That is what leads users such as Mor Asher, Global Infrastructure and Infosec Manager at Telit, a global IoT connectivity company, to say things like, “Onboarding to Cymulate was practically done instantly, allowing us from a single console to run full kill-chain attacks in a matter of minutes with 100% safety in production systems.

In addition, Cymulate lateral movement module can be run either across the entire kill chain or on specific segments. This unique ability adds considerable flexibility to pinpoint tests on segments to rapidly validate the efficacy of an individual remediation process, or the impact of a local deployment, for example.

Adding lateral movement technologies to a cybersecurity toolbox might well be the fastest way to improve SIEM performance and might very well end up reducing cost and optimizing resources in addition to hardening the security posture.

For a free trial and more information about how to use lateral movement to stay ahead of the game and prioritize your vulnerabilities.