Security service edge (SSE) technology was created to protect remote and branch users with a unified, cloud-delivered security stack. To understand how SSE solutions protect organizations and their users, it’s worthwhile to analyze attacker techniques, as well as the protections and controls SSE solutions use to disrupt them.
It’s useful to use the MITRE ATT&CK framework. MITRE ATT&CK is a large knowledgebase of attacker techniques that cybersecurity experts use to describe the attack kill chains observed, when studying threat activity. This post is going to use the Mitre ATT&CK framework to analyze specific techniques within the “lateral movement” category, describe how each technique works, and detail how Cisco’s SSE solution, Cisco Secure Access, can protect you from them.
Lateral Movement
Lateral movement is a critical phase in the cyber kill chain. Once attackers have breached a single system or user account, they need to expand their presence within the network to access valuable resources, sensitive data, or more permissive privileges. Lateral movement allows attackers to establish a foothold within the network, expand their reach, and achieve their objectives.
Attackers use a variety of techniques, such as exploiting remote services or infecting shared resources, to move horizontally across the network and gain unauthorized access to more critical systems or privileged accounts. By maneuvering laterally, attackers can evade detection, maintain persistence, and maximize the impact of their attack.
In its Enterprise Matrix, the Mitre ATT&CK framework describes lateral movement as a category made up of nine techniques, several with numerous sub-techniques. While that is too much to cover in this blog post, let’s analyze a few of the most common techniques.
Exploitation of Remote Services
One of the key techniques used in lateral movement is the exploitation of remote services. In this technique, attackers are looking for a vulnerable or misconfigured service that they can exploit to gain access to the system it is running on. From there, they will continue to exploit the remote system, often establishing persistence so they can return to the system over and over again and use it as launchpad to pivot deeper into the network.
Attackers usually start with discovering what services are running on a company’s remote systems, and they use a variety of discovery techniques to determine if any of them are vulnerable to compromise. Most services have had some sort of vulnerability at some point, and if any of them are left unpatched and outdated, that vulnerability may be active. For example, in 2017, the WannaCry ransomware used an exploit called EternalBlue, which took advantage of a vulnerability in the server message block (SMB) protocol, to spread around the world. In addition, applications that may be used in the internal network, such as MySQL, may contain vulnerabilities that attackers can exploit. While many of these vulnerabilities may have patches available for them, oftentimes it is difficult to patch a resource or easy to overlook it, leaving them vulnerable to attacks.
Remote Services
Sometimes, the attacker doesn’t need to attack the remote service itself, but instead, they can use valid credentials that have been stolen some other way to utilize remote services intended for employees. In this attack, the attacker obtains stolen credentials through techniques such as phishing or credential stuffing.
Once they have these credentials, they can use remote access services such as secure shell (SSH) or remote desktop protocol (RDP) to move deeper into the network. Sometimes these credentials are used in centralized identity management with single sign-on, which gives the attacker wide reach in the network if they can successfully authenticate with the central identity provider.
In some cases, legitimate applications may utilize remote services, such as software deployment tools or native remote desktop applications, which can sometimes be abused to obtain remote code execution or lateral movement.
Taint Shared Content
Attackers may gain access to a shared resource, such as a shared storage location like a cloud storage provider. In these cases, attackers can leverage this access to inject malicious programs, scripts, or exploit code to otherwise legitimate files. When a user accesses the tainted shared content, the malicious payload executes, giving the adversary access to the remote system, allowing to move laterally deeper into the network.
For example, in April 2023, Google’s Cybersecurity Action Team described a rise in threat actors using Google Drive to deliver malware and exfiltrate data. The report detailed a nation-state attack that was delivering an ISO file containing a malicious DLL via Google Drive. Another threat actor stored malware on Google Drive to evade detection and sent phishing emails that contained links to the malicious file. Yet another threat actor used Google Drive as location to exfiltrate data to.
How Cisco Secure Access Can Help
Lateral movement is critical component of the cyber kill chain. Properly addressing lateral movement requires a combination of threat detection and policy enforcement. One of the challenges organizations face when preventing lateral movement, or cyberattacks in general, is the high number of remote users. In the past, organizations relied on virtual private networks (VPNs) to enable remote users to access private company resources and to browse the Internet with the protection of corporate security.
There are a few challenges to relying so heavily on VPNs. For one, most companies built their VPN architecture to serve a small minority of users. As remote and hybrid work became commonplace, users stretched the capacity of VPNs, often leading to performance problems. This leads users to disconnect from VPNs where possible just to stay productive, which jeopardizes security.
The other problem is zero trust access policies on VPNs are difficult, often requiring managing large and complex access control lists. This has led to a scenario where many companies do not segment VPN traffic at all. This means that once an attacker gains access to a corporate VPN, they can move laterally throughout the network with relative ease. In recent years, this has been a component of several high-profile breaches.
Cisco Secure Access was designed to protect remote users, wherever they are and whatever they are accessing, and to secure corporate resources that must now be accessible over the Internet.
This involves placing private apps behind a layer of protection using Zero Trust Network Access (ZTNA). This technology places a security boundary around your applications, and, as the name implies, applies zero trust access policies to any user trying to connect to the protected resource. These policies can be as simple as ensuring a user is authenticated with MFA to posture assessments, such as ensuring they are using an updated operating system or a corporate-managed device. It also supports logical group policies, such as ensuring only engineers can access code repositories or only sales and support can access customer relationship management solutions.
These policies are applied on a per-user and per-application basis, which creates segmentation between applications. This is critical in preventing lateral movement. If an attacker manages to bypass authentication and all access policies, their reach is limited only to that application. They are unable to pivot deeper into the network.
ZTNA isn’t the right choice for every application, which is why Cisco Secure Access also uses an integrated VPN-as-a-service (VPNaaS) for a complete Zero Trust Access solution. This allows organizations to move off physical VPN infrastructure, improving performance for end users and reducing management headaches. It is also fully integrated into Cisco Secure Access’ unified policy management, ensuring there is still segmentation and zero trust policy enforcement.
In addition, Secure Access includes an integrated Firewall-as-a-service (FWaaS) with an intrusion prevention system. This protects traffic over non-web protocols and blocks vulnerabilities such as those used by WannaCry ransomware.
The other part of preventing lateral movement is blocking initial access by protecting the user when they are surfing the Internet. This is done by blocking phishing websites, blocking malware, and enforcing data loss prevention policies. This greatly decreases the likelihood the user’s account or machine will become compromised, which can prevent attackers from ever getting to the lateral movement phase of the kill chain.
Cisco Secure Access cancan deliver all these outcomes and capabilities by unifying twelve different security technologies into a single, unified, cloud-delivered platform. This is known as a security service edge (SSE) solution. At its core, an SSE solution provides secure access to the Internet, cloud services, and private applications for users, regardless of where they are located. It delivers zero trust access control, threat protection, data security, and acceptable use policy enforcement for all users and resources. SSE is the security component of the secure access service edge (SASE) architecture, which combines networking and security to streamline operations, increase security resilience, provide end-to-end protection, and securely connect users to resources.
Cisco Secure Access provides a better experience for end users by simplifying access flows. Users no longer need to worry about managing VPN connections. When they try to access applications, it just works. It also makes IT management easier. It uses a single, unified policy management dashboard for all its component parts. Lastly, it makes everyone safer by leveraging advanced security capabilities to mitigate risk.
To learn more about Cisco Secure Access, watch the webinar Deep Dive into a Modern Zero Trust Access (ZTA) Architecture.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
