Safety service edge (SSE) know-how was created to guard distant and department customers with a unified, cloud-delivered safety stack. To know how SSE options shield organizations and their customers, it’s worthwhile to investigate attacker strategies, in addition to the protections and controls SSE options use to disrupt them.
It’s helpful to make use of the MITRE ATT&CK framework. MITRE ATT&CK is a big knowledgebase of attacker strategies that cybersecurity consultants use to explain the assault kill chains noticed, when finding out menace exercise. This submit goes to make use of the Mitre ATT&CK framework to investigate particular strategies throughout the “lateral motion” class, describe how every method works, and element how Cisco’s SSE answer, Cisco Safe Entry, can shield you from them.
Lateral Motion
Lateral motion is a vital part within the cyber kill chain. As soon as attackers have breached a single system or consumer account, they should develop their presence throughout the community to entry useful assets, delicate knowledge, or extra permissive privileges. Lateral motion permits attackers to ascertain a foothold throughout the community, develop their attain, and obtain their aims.
Attackers use quite a lot of strategies, reminiscent of exploiting distant providers or infecting shared assets, to maneuver horizontally throughout the community and acquire unauthorized entry to extra vital programs or privileged accounts. By maneuvering laterally, attackers can evade detection, preserve persistence, and maximize the influence of their assault.
In its Enterprise Matrix, the Mitre ATT&CK framework describes lateral motion as a class made up of 9 strategies, a number of with quite a few sub-techniques. Whereas that’s an excessive amount of to cowl on this weblog submit, let’s analyze a couple of of the most typical strategies.
Exploitation of Distant Companies
One of many key strategies utilized in lateral motion is the exploitation of distant providers. On this method, attackers are in search of a weak or misconfigured service that they will exploit to achieve entry to the system it’s operating on. From there, they’ll proceed to take advantage of the distant system, typically establishing persistence to allow them to return to the system over and over and use it as launchpad to pivot deeper into the community.
Attackers normally begin with discovering what providers are operating on an organization’s distant programs, they usually use quite a lot of discovery strategies to find out if any of them are weak to compromise. Most providers have had some form of vulnerability in some unspecified time in the future, and if any of them are left unpatched and outdated, that vulnerability could also be lively. For instance, in 2017, the WannaCry ransomware used an exploit referred to as EternalBlue, which took benefit of a vulnerability within the server message block (SMB) protocol, to unfold world wide. As well as, functions which may be used within the inner community, reminiscent of MySQL, could comprise vulnerabilities that attackers can exploit. Whereas many of those vulnerabilities could have patches obtainable for them, oftentimes it’s troublesome to patch a useful resource or simple to miss it, leaving them weak to assaults.
Distant Companies
Typically, the attacker doesn’t have to assault the distant service itself, however as a substitute, they will use legitimate credentials which were stolen another method to make the most of distant providers meant for workers. On this assault, the attacker obtains stolen credentials by strategies reminiscent of phishing or credential stuffing.
As soon as they’ve these credentials, they will use distant entry providers reminiscent of safe shell (SSH) or distant desktop protocol (RDP) to maneuver deeper into the community. Typically these credentials are utilized in centralized id administration with single sign-on, which supplies the attacker large attain within the community if they will efficiently authenticate with the central id supplier.
In some instances, official functions could make the most of distant providers, reminiscent of software program deployment instruments or native distant desktop functions, which might typically be abused to acquire distant code execution or lateral motion.
Taint Shared Content material
Attackers could acquire entry to a shared useful resource, reminiscent of a shared storage location like a cloud storage supplier. In these instances, attackers can leverage this entry to inject malicious packages, scripts, or exploit code to in any other case official information. When a consumer accesses the contaminated shared content material, the malicious payload executes, giving the adversary entry to the distant system, permitting to maneuver laterally deeper into the community.
For instance, in April 2023, Google’s Cybersecurity Motion Group described an increase in menace actors utilizing Google Drive to ship malware and exfiltrate knowledge. The report detailed a nation-state assault that was delivering an ISO file containing a malicious DLL through Google Drive. One other menace actor saved malware on Google Drive to evade detection and despatched phishing emails that contained hyperlinks to the malicious file. One more menace actor used Google Drive as location to exfiltrate knowledge to.
How Cisco Safe Entry Can Assist
Lateral motion is vital element of the cyber kill chain. Correctly addressing lateral motion requires a mix of menace detection and coverage enforcement. One of many challenges organizations face when stopping lateral motion, or cyberattacks on the whole, is the excessive variety of distant customers. Up to now, organizations relied on digital personal networks (VPNs) to allow distant customers to entry personal firm assets and to browse the Web with the safety of company safety.
There are a couple of challenges to relying so closely on VPNs. For one, most firms constructed their VPN structure to serve a small minority of customers. As distant and hybrid work turned commonplace, customers stretched the capability of VPNs, typically resulting in efficiency issues. This leads customers to disconnect from VPNs the place potential simply to remain productive, which jeopardizes safety.
The opposite downside is zero belief entry insurance policies on VPNs are troublesome, typically requiring managing giant and complicated entry management lists. This has led to a situation the place many firms don’t section VPN visitors in any respect. Because of this as soon as an attacker positive factors entry to a company VPN, they will transfer laterally all through the community with relative ease. In recent times, this has been a element of a number of high-profile breaches.
Cisco Safe Entry was designed to guard distant customers, wherever they’re and no matter they’re accessing, and to safe company assets that should now be accessible over the Web.
This entails inserting personal apps behind a layer of safety utilizing Zero Belief Community Entry (ZTNA). This know-how locations a safety boundary round your functions, and, because the title implies, applies zero belief entry insurance policies to any consumer making an attempt to connect with the protected useful resource. These insurance policies could be so simple as making certain a consumer is authenticated with MFA to posture assessments, reminiscent of making certain they’re utilizing an up to date working system or a corporate-managed system. It additionally helps logical group insurance policies, reminiscent of making certain solely engineers can entry code repositories or solely gross sales and help can entry buyer relationship administration options.
These insurance policies are utilized on a per-user and per-application foundation, which creates segmentation between functions. That is vital in stopping lateral motion. If an attacker manages to bypass authentication and all entry insurance policies, their attain is restricted solely to that software. They’re unable to pivot deeper into the community.
ZTNA isn’t the suitable alternative for each software, which is why Cisco Safe Entry additionally makes use of an built-in VPN-as-a-service (VPNaaS) for an entire Zero Belief Entry answer. This enables organizations to maneuver off bodily VPN infrastructure, bettering efficiency for finish customers and lowering administration complications. It’s also absolutely built-in into Cisco Safe Entry’ unified coverage administration, making certain there’s nonetheless segmentation and nil belief coverage enforcement.
As well as, Safe Entry consists of an built-in Firewall-as-a-service (FWaaS) with an intrusion prevention system. This protects visitors over non-web protocols and blocks vulnerabilities reminiscent of these utilized by WannaCry ransomware.
The opposite a part of stopping lateral motion is obstructing preliminary entry by defending the consumer when they’re browsing the Web. That is accomplished by blocking phishing web sites, blocking malware, and imposing knowledge loss prevention insurance policies. This tremendously decreases the chance the consumer’s account or machine will turn out to be compromised, which might forestall attackers from ever attending to the lateral motion part of the kill chain.
Cisco Safe Entry cancan ship all these outcomes and capabilities by unifying twelve totally different safety applied sciences right into a single, unified, cloud-delivered platform. This is called a safety service edge (SSE) answer. At its core, an SSE answer offers safe entry to the Web, cloud providers, and personal functions for customers, no matter the place they’re situated. It delivers zero belief entry management, menace safety, knowledge safety, and acceptable use coverage enforcement for all customers and assets. SSE is the safety element of the safe entry service edge (SASE) structure, which mixes networking and safety to streamline operations, enhance safety resilience, present end-to-end safety, and securely join customers to assets.
Cisco Safe Entry offers a greater expertise for finish customers by simplifying entry flows. Customers not want to fret about managing VPN connections. After they attempt to entry functions, it simply works. It additionally makes IT administration simpler. It makes use of a single, unified coverage administration dashboard for all its element elements. Lastly, it makes everybody safer by leveraging superior safety capabilities to mitigate threat.
To study extra about Cisco Safe Entry, watch the webinar Deep Dive right into a Fashionable Zero Belief Entry (ZTA) Structure.
We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safety on social!
Cisco Safety Social Channels
Share:
