Defending Against Lateral Movement in the Remote Work Era

In recent years, we’ve seen massive cyber attacks using lateral movement to spread wide and far, but in the work from home era, the game has changed: Endpoints are now routinely connecting to untrusted networks outside of IT’s control, amplifying the potential impacts of any attack as threats in these networks continue to go unobstructed.

The most recent SolarWinds attack using the SUNBURST backdoor, like WannaCry and NotPetya before it, is yet another example of the devastating effects of lateral movement. While FireEye has reported a ‘killswitch’ that prevents the malware from operating in an infected network, they have also stated that:

“if attackers have already deployed additional persistence mechanisms, this killswitch cannot remove the threat from the network”. 1

Today more than ever, it is clear that no organization is immune from these types of attacks on dirty networks and lateral movement is an attack vector that requires a different approach to defend against. 

Remediating Infected Endpoints 

In almost all cases, infected endpoints need to be disconnected from the network, patched, administrative shares disabled, and the infection removed before the endpoint can be reconnected to the network. 

If these steps aren’t followed and the infection isn’t completely removed from the network, infected machines will reinfect clean endpoints and continue to spread unimpeded. 

And in today’s highly connected remote world, endpoints connecting to dirty, untrusted and unmanaged home and public Wi-Fi networks without any isolation create dramatically increased risk of lateral movement in and outside of the core network. There is no way for administrators to remove the infection from networks they don’t control. 

A Better Way Forward: The Secure Endpoint Edge

Isolating endpoints onto their own micro-segment of one using a physical barrier reduces the effectiveness of lateral movement by eliminating exposure to the local network. This is the concept of hardware-enforced isolation, where every endpoint is given their own network security perimeter, regardless of the network they connect to and from. 

This type of Zero Trust solution protects vulnerable endpoints from infected networks, while remaining independent from the endpoint itself so as to not become infected. It gives security teams visibility into the traffic going to and from the endpoint, while also allowing them to provision network security policies in real time.

If malicious traffic is detected at the endpoint, administrators can kill traffic to and from infected devices at the click of a button, without needing to disconnect the device from the network. They can then securely patch and remediate the endpoint remotely without exposing it to the network or sending it to IT to get rebuilt. 

It is also important to keep in mind that the risks of infection by lateral movement aren’t unique to business endpoints like laptops, tablets, and desktops; attackers don’t discriminate against which networks they target so without a layer of hardware-enforced isolation, other connected endpoints like industrial controllers, medical devices, and other IoT devices also remain vulnerable to infection. 

Lateral movement doesn’t have to be so pervasive, so long as security teams embrace the new mentality that no network should be trusted and invest in the proper tools in securing endpoints using a Zero Trust approach.

For more information, book a demo with the Byos team to learn more about how micro-segmentation can help your organization defend against lateral movement.

Sources:

  1. https://www.darkreading.com/attacks-breaches/fireeye-identifies-killswitch-for-solarwinds-malware-as-victims-scramble-to-respond/d/d-id/1339746

What Is Microsegmentation?

How To Better Secure Remote Wi-Fi Connections