Prevent ransomware by stopping lateral movement: the case for active defence

Cybercrime is often motivated by profit, and threat actors have realised that the most profitable way to conduct their business is to target enterprises with deep wallets, a cyber insurance policy, and/or valuable assets. However, these attacks are not as easy to pull off as it is to send out a generic phishing email and hope for the best – they require a lot of resources and careful planning.  The “hack for ransom” threat is spreading rapidly and, in many cases, paying handsomely. 

To further complicate the matter, the software supply chain is long and perilous. As the recent SolarWinds incident has demonstrated, despite years of security specialists advocating for vulnerability scanning and tempestive patching policies, it is extremely hard to stop attacks that come through the supply chain. Vulnerabilities might be known and remediable, but the sheer number of stages at which something might go wrong makes it almost impossible to reduce risk to an acceptable level, especially when it comes to attacks as sophisticated as the one that hit SolarWinds. In that instance, threat actors focused on obtaining credentials and slowly creeped into the network, moving laterally and progressively gaining access to systems and data. This is the same tactic used in today’s enterprise ransomware attacks.

The intricate nature of advanced ransomware makes traditional attack mitigation strategies and technologies inadequate for stopping these human-guided attacks. But what if the scale of these operations and their complexity were to be turned into advantages for defenders? Could this preparatory work – the reconnaissance on the network and the lateral movement to reach an organisation’s crown jewels, stolen from the APT playbook - be useful for security teams to identify an intruder before it’s too late?

Think like a hacker why lateral movement is still happening

Organisations know better than to leave their crown jewels, sensitive servers and privileged accounts unsecured. For this reason, almost any cyberattack nowadays exploits a lower-profile entry point and requires lateral movement through the network. But even though security teams know this, there are several challenges that prevent them from being able to stop it.

Firstly, the size of the attack surface makes it difficult to maintain visibility across all endpoints and, therefore, to prevent attackers from establishing a beachhead from where they can cause extensive damage. The shift to remote working brought about by the national lockdowns of 2020/2021 significantly contributed to the expansion of the attack surface far beyond what security teams were previously expected to manage. With employees accessing corporate resources from home networks and personal devices, the opportunities for attackers to establish a foothold increased greatly. Even organisations that had anomaly-based detection systems in place often saw these being thrown off by the sudden change of behaviour patterns, causing a significant increase in false positive alerts.  

Secondly, today’s threat groups are far more organised than they were in the early days of cybercrime. The profits made through ransomware and other forms of cyberattacks are often partly reinvested in research and development, as well as in tools that help avoid detection. Ransomware-as-a-Service (RaaS) offers sophisticated toolsets in exchange for a share of the payouts, and criminal enterprises such as DarkSide – who were behind the Colonial Pipeline ransomware attack – even have a customer support helpline and a public relations unit.

Thirdly, and crucially, defenders’ existing security controls for detecting and preventing lateral movement still have several limitations, which result in attackers being able to move freely within the network. Traditionally focused on the perimeter, most of today’s enterprises take a defensive stance that relies on signatures and anomalies for detection. However, once the attacker circumvents the perimeter, the chances of this type of defensive approach catching an intruder are limited.

The limitations extend also to Endpoint threat Detection and Response (EDR) tools, which won’t always detect activity that is made to resemble normal behaviour and leverages legitimate connectivity. Anomaly-based detection only works if an attackers’ activity is picked up as such; which is not always the case given the sophistication of the tools threat actors employ to deceive and the recent redefinition of the parameters of normal behaviour. In fact, EDRs struggle to identify lateral movement that leverages authentic credentials and normal connections and pathways, and it is often the first thing attackers look to disable and circumvent as part of establishing their beachhead.                                

By creating a hostile environment for the attacker, defensive teams can create the ultimate deterrent for cybercriminals: a target so difficult to breach that it is no longer cost-effective to pursue it.

A paradigm shift: from reactive to active defence

We’ve all heard the phrase “attackers only need to be right once; defenders need to be right all the time”. This is true, but only if we approach security reactively.

Today’s advanced threats require organisations to take an active stance against cyberattacks, which means, in the words of MITRE, the 62-year-old nonprofit dedicated to creating engineering and technical guidance for the U.S. government, “to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future.” This can be achieved with deception and adversary engagement.

By creating a hostile environment for the attacker, defensive teams can create the ultimate deterrent for cybercriminals: a target so difficult to breach that it is no longer cost-effective to pursue it. Deception-based defensive strategies are designed to attract threat actors to targets that appear real but aren’t. Deceptive files, data, and credentials create work for attackers that is difficult to automate away, and when they trip a deception, security teams have a detection that is deterministic, certain not to be a false positive.

Through deception-based detection, lateral movement becomes almost impossible, so that even threat actors with sophisticated tools are unable to perform their reconnaissance work and to move closer to valuable assets without being discovered. This approach requires to assume that an attacker is most likely already within the network, and that it is possible to deterministically detect their presence by creating a web of tripwires that will force them to reveal themselves. While doing so, telemetry can be gathered to understand the target, remediate and adjust security strategy and tactics to prevent similar attacks in the future.

If there is one lesson to be learnt from the SolarWinds attack is that, when it comes to enterprise ransomware, there’s no too-big-to-fail. Cyber hygiene and foundational controls are essential, as is employee education, but only by proactively looking for threats will organisations continue to be one step ahead of increasingly motivated and resourceful threat actors.