How do you intend to block lateral movement if an attacker has made it into your network?
In looking at recent ransomware attacks there are some consistent attack vectors used for lateral movement that are almost always exploited.
The good news is with minimal effort without purchasing anything you can dramatically decrease your attack surface.
The first thing to do is to get a handle on Remote Desktop Protocol (RDP). If you have not read my previous post about securing RDP, please do so.
Today I am going to focus on a lot of the other alphabet-soup protocols that can be easily tweaked to make it much harder for an attacker to move around your network.
- LANMAN and NTLM vs. NLTM2. This is a simple Group Policy tweak to not accept anything speaking older Microsoft authentication protocols.
- IPv6. So far IPv6 seems more of an autonomous addressing protocol to allow unauthorized movement through your network. Bob tells me that CSI does not route IPv6 on most networks with work with so for most of you this is more about lateral movement on a VLAN than across the network. However, the attackers are trying to hopscotch across your network to find your holy of holies. If they can hop to other machines on that network, they might eventually find a machine that provides greater access to other resources on your network. The name of the game is to bottle up unauthorized access as tightly as you can to make it really challenging for an attacker to jump around. IPv6 can be turned off in the Windows environment with a simple Group Policy.
- NetBIOS. This a Microsoft protocol from the early days of Microsoft. It allows devices on the same VLAN to find each other and communicate directly. If NetBIOS over TCP/IP is turned on, it can transcend a VLAN. There is absolutely no reason for this protocol to be turned on in your network. Leaving it on gives7 an attacker an effortless way to map out at least that VLAN if not further. This is a simple Group Policy Preference Extension Registry Key Push to turn this off across your network.
- Link-Local Multicast Name Resolution (aka LLMNR). This is another vestige protocol from long ago. It allows devices to resolve DNS names without having DNS. It can be used by an attacker to interrogate the network and identify things like your file servers. It can impersonate devices on your network to falsely answer saying it is another legitimate server. We have no reason for this default protocol to still exist. This is a simple Group Policy Preference Extension Registry Key Push to turn this off across your network.
- SMBv1. This is a legacy protocol that many of you still have on because your old multi-function printer/copier/scanners couldn't save to a scan folder without it. Or you simply forgot about it as your network evolved. SMBv1 is a favorite of attackers because it is easy to exploit. It can be easily turned off via Group Policy and Group Policy Preference Extensions.
CSI has a number of tools to help you visualize how and where these protocols exist on your network. However, we can dramatically reconfigure your network to close down these attack vectors with a couple of simple Group Policies without a lot of research time. You can spot-check whether you are vulnerable on your workstations and servers via properties in your network settings. With the exception of SMBv1, my guess is that you will find all or most of these protocols enabled almost everywhere on your network.
If you need help evaluating and removing these protocols across your network, please let us know.
-Scott Quimby, CISSP
You must be logged in to post a comment.