How to Prevent Lateral Movement using Windows Firewall?

Security
Segmentation
Windows Firewall
nodeProtect
April 28, 2020
Jonas Lagerström
Email
Twitter
LinkedIn

Proper lateral movement preventions can be the difference between one user’s laptop being encrypted with ransomware and your entire corporate network. One of the more effective steps to prevent lateral movement is network segmentation (and micro-segmentation in particular).

What is Lateral Movement?

Lateral movement is the term used to describe the techniques adversaries/threat actors/cyber attackers use to move deeper into the network.

Here’s an example of that:

  1. A user is tricked into opening an email containing a malicious attachment which leads to an attacker having access to the user’s laptop.
  2. The attacker uses the foothold gained on the laptop to enumerate the corporate network and finds that the laptop can remotely access a SQL server.
  3. Through various means not covered in this blog post, the attacker gains access to the SQL server that a domain admin has logged on to.
  4. The attacker uses the domain administrator credentials saved on the SQL server to continue to move around the environment where the end game might be data exfiltration or extorting money through ransomware.

According to Carbon Black Global Incident Response Threat Report April 2019, 70% of all attacks involve attempts at lateral movement. Also 50% of the attacks leverage “island hopping” (Which means that the attackers are not only attempting lateral movement through your network but all networks in that supply chain). - https://www.carbonblack.com/global-incident-response-threat-report/april-2019/ 

It’s important to keep in mind that not all lateral movement is done actively by an attacker, some of the more sophisticated malware\ransomware have a built-in capability to move laterally through the network as well, to cause the maximum amount of mayhem.

Why segmentation is important

With proper network segmentation in place, the attacker in the above example would not have easily been able to pivot from the laptop to the SQL server, or have been able to use the credentials from the SQL server to continue moving around the environment (it would have of course been preferable if there wasn’t domain admin credentials on the SQL server to begin with, but this isn’t the scope of this blog post).

So where to start?

Some of the most commonly used administration\management tools can be used for lateral movement, so we would suggest locking down the following:

  • Remote Desktop
  • SMB
  • Remote Powershell
  • RPC

It’s important to limit the exposure at the host firewall level (and between networks if you already have some level of network segmentation in place) since there can be “hidden” and lesser known functionality or vulnerabilities in the protocol\implementation.

For example you might have a strong authentication in place for remote desktop but if you have some servers that are not updated you might be vulnerable to BlueKeep\DejaBlue (https://en.wikipedia.org/wiki/BlueKeep). Likewise, you might not have any SMB shares on your servers but just the fact that SMB traffic is allowed opens up the possibility for lateral movement, for example via psexec & remote service creation, and exploits such as EternalBlue (https://en.wikipedia.org/wiki/EternalBlue).

This recommendation applies to all services exposed on the network, but those above are commonly used for lateral movement so it’s a good place to start.

The easiest way to start with this is to use dedicated PAW’s (which stands for Privileged Access Workstation – read here for more details: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) that cannot be accessed from the network and create inbound firewall rules for the above traffic scoped to the IP’s of the PAW’s. This is of course not possible for all servers, for example file servers that require clients to access them over SMB.

Another thing to look at is the common “tiered” application – consider an application that has a web tier, a middleware tier and a database tier. There’s no reason for the database to allow access from anything other than the middle tier.

Conclusion

It’s important to keep in mind that this is not an exhaustive list of all the ways to move laterally through a network, but it’s a lot of bang for your buck.

If you need any suggestions or help figuring out where to start with your micro-segmentation project to minimize your exposure to lateral movement, feel free to contact us at nodeProtect!

For more information on lateral movement, the Mitre ATT&CK framework lists a bunch of techniques - https://attack.mitre.org/tactics/TA0008/

Take full control of your systems
need a secure and modern way of managing Windows Firewall?
Discover how your systems are interacting with each other and how you can minimize risk against hackers and ransomware with the help of nodeProtect.
Get Started - It's free
Learn & Get Help
DocsVideo TutorialsBlog
contact@nodeprotect.com
© 2020 addlevel - a part of TRUESEC. All rights reserved.
COOKIE DECLARATION AND SETTINGS