Lateral Movement Detection in Cloud Computing
As more actors transition to cloud computing, a more strategic solution, such as detection of lateral movement, is on high demand
Tom Feigin & Mayan Sarnat
| 22/03/2019
Illustration: Bigstock
Cloud services’ main strength and allure for businesses is their ability to replace the business's need for maintaining on-premise software applications. To pay for the resource usage that is actually at use while taking advantage of scale and reliability. According to a recent report, 93% of businesses' processes are being moved to the cloud.
This trend is far from being confined to the business field. A computing cloud, developed by Amazon Web Services for the Central Intelligence Agency, is now servicing all 17 agencies of the US intelligence community. This development has ushered in a new era of cooperation and coordination, allowing agencies to share information and services easily and avoid the kind of intelligence gaps which preceded September 11, 2001.
However, in the private as well as the governmental spheres, the transition to the cloud has not been without hesitation with many delaying the transition due to the cloud's potential security faults and misuse abuses. Examples of misuse include account hijacking of the sort Google reported on in 2010. Apparently, the Gmail accounts of two human rights activists were compromised in a raid on Google's password system carried out by China. The Obama administration called the attack "an increasingly serious cyber threat to US critical industries."
More and more companies and branches of government, the keepers of society's most delicate infrastructures, move their systems to the cloud, which drove up the demand for strategic and thorough solutions to provide with cloud security.
Following the Tracks
Lateral movement refers to the various techniques attackers use to progressively spread through a network as they search for key assets and data. The lateral movement attack phase represents the biggest difference between today’s strategic, targeted attacks and the simplistic "smash-and-grab" attacks of the past where a sufficient firewall prevents an attack but cannot respond to an attacker already in the system. This represents a major paradigm shift from relying on endpoint protection methods (such as firewall) to observing and detecting lateral movements in systems across spheres.
In most cases, attackers must move from device to device and gain access privileges to get to the high-value data inside the network. In addition to digging deeper into the network, lateral movement gives attackers additional points of control in a compromised network. For example, threat actors target an individual’s credentials allowing them to move throughout the network under the guise of a legitimate user.
Several years ago, the Target Company witnessed a cyberattack when hackers compromised its heating vendor. Ultimately, they stole the personal information and payment of Target's customers. The hackers, disguised as legitimate users, could breach the perimeter and enter the network to wreak havoc.
Threat actors are increasingly targeting unsecured cloud users, leveraging features common to public cloud platforms to conceal their activity as they breach networks.
Most of these attacks start with credential theft. An attacker can steal access keys or credentials via phishing attacks, deploy malware that picks up usernames and passwords, and snatch data from a repository where a developer may have accidentally uploaded his information.
The challenge, therefore, is to identify an attacker as quickly as possible, providing the attacker the least amount of opportunity to achieve lateral movement and remove critical data from the system. The behavior of an external actor operating in an internal system, tied to any sort of internal reconnaissance or suspicious behavior, is something that can be recognized.
And so, as the security stack migrates towards the lateral movement paradigm, so too does the services of the security stack become cloud-based services rather than on-premise software applications. Lateral movement detection on the cloud will become critical in the coming years as more adopt the transitions in cloud and security services, making cloud-based security solutions on higher demand.
***
Tom Feigin is a Senior Software Engineer at Fenror7. Mayan Sarnat is an MA student of Security and Diplomacy at Tel Aviv University
As more actors transition to cloud computing, a more strategic solution, such as detection of lateral movement, is on high demand
Illustration: Bigstock
Cloud services’ main strength and allure for businesses is their ability to replace the business's need for maintaining on-premise software applications. To pay for the resource usage that is actually at use while taking advantage of scale and reliability. According to a recent report, 93% of businesses' processes are being moved to the cloud.
This trend is far from being confined to the business field. A computing cloud, developed by Amazon Web Services for the Central Intelligence Agency, is now servicing all 17 agencies of the US intelligence community. This development has ushered in a new era of cooperation and coordination, allowing agencies to share information and services easily and avoid the kind of intelligence gaps which preceded September 11, 2001.
However, in the private as well as the governmental spheres, the transition to the cloud has not been without hesitation with many delaying the transition due to the cloud's potential security faults and misuse abuses. Examples of misuse include account hijacking of the sort Google reported on in 2010. Apparently, the Gmail accounts of two human rights activists were compromised in a raid on Google's password system carried out by China. The Obama administration called the attack "an increasingly serious cyber threat to US critical industries."
More and more companies and branches of government, the keepers of society's most delicate infrastructures, move their systems to the cloud, which drove up the demand for strategic and thorough solutions to provide with cloud security.
Following the Tracks
Lateral movement refers to the various techniques attackers use to progressively spread through a network as they search for key assets and data. The lateral movement attack phase represents the biggest difference between today’s strategic, targeted attacks and the simplistic "smash-and-grab" attacks of the past where a sufficient firewall prevents an attack but cannot respond to an attacker already in the system. This represents a major paradigm shift from relying on endpoint protection methods (such as firewall) to observing and detecting lateral movements in systems across spheres.
In most cases, attackers must move from device to device and gain access privileges to get to the high-value data inside the network. In addition to digging deeper into the network, lateral movement gives attackers additional points of control in a compromised network. For example, threat actors target an individual’s credentials allowing them to move throughout the network under the guise of a legitimate user.
Several years ago, the Target Company witnessed a cyberattack when hackers compromised its heating vendor. Ultimately, they stole the personal information and payment of Target's customers. The hackers, disguised as legitimate users, could breach the perimeter and enter the network to wreak havoc.
Threat actors are increasingly targeting unsecured cloud users, leveraging features common to public cloud platforms to conceal their activity as they breach networks.
Most of these attacks start with credential theft. An attacker can steal access keys or credentials via phishing attacks, deploy malware that picks up usernames and passwords, and snatch data from a repository where a developer may have accidentally uploaded his information.
The challenge, therefore, is to identify an attacker as quickly as possible, providing the attacker the least amount of opportunity to achieve lateral movement and remove critical data from the system. The behavior of an external actor operating in an internal system, tied to any sort of internal reconnaissance or suspicious behavior, is something that can be recognized.
And so, as the security stack migrates towards the lateral movement paradigm, so too does the services of the security stack become cloud-based services rather than on-premise software applications. Lateral movement detection on the cloud will become critical in the coming years as more adopt the transitions in cloud and security services, making cloud-based security solutions on higher demand.
***
Tom Feigin is a Senior Software Engineer at Fenror7. Mayan Sarnat is an MA student of Security and Diplomacy at Tel Aviv University
