One of the most important goals in every threat actor’s plans is to move laterally through a victim’s network after it has been initially compromised.
Some attackers may be satisfied with compromising one device — and if they get lucky, it may be the only one they need. But usually attackers want to move around, and up, to get administrative privileges to an entire network.
This means stopping lateral movement is a prime defensive tactic for infosec leaders.
In a column this week, Microsoft explained how, using its tools, lateral movement can be blunted. While the advice is good for shops that only use Microsoft tools, administrators should also be able to figure out how other applications in their environment could be leveraged.
The authors suggest starting by segmenting privileged domain accounts into three tiers in the directory: Tier 0 for all accounts and servers that are either domain administrators or have a direct path to domain administrator privileges; Tier 1 for business-critical applications (file shares, application servers, and database servers); and Tier 2, for normal user workstations and standard user accounts.
Creating separate tiers cuts off lateral movement from a standard user workstation to an application server or domain controller, the blog notes. That way, if a standard user account’s machine is compromised and password hashes are obtained by an attacker, there will be no movement path toward more sensitive accounts and servers.
The different tiers must be completely segregated from each other. In Windows Active Directory, this can be accomplished by creating Group Policy Objects (GPOs) that deny signing in across tiers. No account can be allowed to cross the tier boundaries. For example, the authors say, an administrator on Tier 0 should be denied access to a Tier 1 or Tier 2 machine. If credentials are exposed to another tier, the password must be reset for that account.
For even greater security, those with privileged accounts should be forced to log in through a dedicated privileged access workstation (PAW). Because an account in one tier can only sign in to computers in the same tier, users with more than one account in the domain would have to use separate computers. A Tier 0 user should use a PAW to access only Tier 0 assets. That user would also have to login through a different computer for checking their email or using productivity applications (a Tier 2 activity).
Step two is controlling local accounts with admin privileges, and step three is stopping the ability of one computer to connect to another through a firewall configuration. The column details how this is done with Microsoft Defender tools, but they should be adaptable to other tools.