In the past five months there have been two cyber attacks that combined age-old email phishing with lateral movement to greatly increase their lethality. In February of this year the Saudi Arabian government was hit with a phishing attack that installed a program to delete data. The attackers were able to increase the blast radius of the attack by using a stolen domain credentials to disperse the malware within the network. More recently the WannaCry malware utilized phishing to install ransomware and that spread laterally using a Microsoft NetBIOS vulnerability.
While neither phishing nor lateral movement is new their combination greatly increased the destructive power of both attacks. It was publicly reported that 50,000 Saudi Arabian compute devices had their data deleted. And in the case of WannaCry, the latest reports are saying potentially 200,000 PCs were hit.
For security professionals the escalation of zero-day lateral movement malware attacks is a critical issue especially given that they can’t be detected by signature-based anti-virus software. It now takes only one mouse click to take down an entire organization! But that doesn’t need to be the case.
There are two counter-measures security professionals should deploy to mitigate zero-day lateral movement malware attacks. First there is a new generation of machine learning based end point protection systems that are not dependent on signatures. These new end point solutions monitor process behaviour or binaries to spot anomolies. Thus end point protection needs to be the first line of defense.
However in the world of BYOD and complex device software even the best end point protection solutions will fail. Thus we need a second line of defense.
To ensure infected devices do not spread malware laterally we must implement port isolation in combination with application layer access control. Port isolation is a standard feature of enterprise switches that allows traffic to only flow in one direction (e.g. user to application server). However there’s a risk for malware to relay thru application servers after the user signs into them. This is where an application layer access control solution comes in.
Application layer access control solutions (like Indecium) provision a layer 4 tunnel from the user’s device to a specific port on the server. As malware is outside the application layer tunnel it has no ability to inject itself into the data stream. Even hypothetically if it could inject itself in the tunnel, the communications is application/protocol specific and there’s no way to transmit commands or code to servers.
With the massive disclosure of classified vulnerability information we’re likely going to be experiencing more zero-day attacks for the foreseeable future. However with proper counter-measures in place these new cyber attacks can be contained.