(Editor’s Note: On July 19, 2016 Carbon Black announced its acquisition of Confer. The enclosed blog was originally posted on Confer’s website on July 14, 2014.)
If you Google “Pivoting and Lateral Movement”, the top hits are for irrigation systems and pilates videos, but it’s also a very important security concept that we need better tools to address.
Specifically, in the security industry, we spend a lot of time trying to protect patient 0 in an attack; however, often the initial compromise is only the beginning. Once an attacker has gained a foothold in an environment, he’ll attempt to move around the network and access other systems. An advanced adversary will look to ensure persistent access beyond the initial compromise. He’ll leverage routers, proxies or forwarding devices to circumvent network controls such as firewalls. Detecting this lateral movement and network pivoting is one of the more challenging problems in security today because, to most security products, this activity looks completely legitimate.
Defenders often rely on network flow information or instrumentation at various network choke points to detect these movements, but this can be akin to looking for a needle in a haystack. Network-based visibility is high-level, lacks context and is often hampered by encryption. Usually, when relying on network data, at best we can make an inference about lateral movement activities.
Moreover, scale comes into play. Most organizations simply can’t capture every packet. Creating internal perimeters and network segments certainly has value in slowing attackers but still leaves defenders blind to lateral movements within segments. Furthermore, with virtual networking, suspect packets may never hit the physical wire and are not seen by systems designed to capture flows and packets.
The endpoint is in the unique position to see an attacker executing a network pivot and can expose credentialed lateral movement in the environment. Endpoints have the context where network-based devices don’t and can help positively identify what is stimulus and what is response.
Also, with today’s distributed, mobile workforce, patient 0 is likely to have been compromised outside the corporate perimeter. Endpoint instrumentation can give better visibility into the whole picture where network-based controls miss critical information.
Hopefully, if we can accurately profile the clandestine movement within an active attack, this will be even more interesting than irrigation systems and pilates videos.