Prevent lateral movement
Introduction
In this article, you learn about one of the foundational approaches to safeguard and protect against “bad actors” following the well documented MITRE ATT&CK pattern (lateral movement).
Lateral movement is the act of moving through the environment from a compromised resource into an uncompromised one by exploiting the assumption that the former is secure. The following diagram is the lateral movement techniques attackers commonly use to compromise systems through unauthorized means.
Lateral movement techniques
- Exploitation of remote services
- Internal spear phishing
- Lateral tool transfer
- Remote service session hijacking
- Remote services
- Replication through removable media
- Software deployment tools
- Taint shared content
- Use alternate authentication material
With all of these techniques available to anyone, the threat of an attack has never been more real. These techniques are highly available and easily reproducible patterns. This article will inform you on how to protect against lateral movement with a simple, scalable solution that runs on any runtime or platform and stops lateral movement through bi-directional or mutual transport layer security or (mTLS).
The castle and moat are gone; authorize and authenticate every room
In the traditional datacenter approach to network security, the “castle” and “moat” keep everything inside safe. Imagine your services as rooms in a castle. Just because you make it into the castle does not mean you should have free rein to waltz around like you own the place. The locks on the door and the quartermaster who issues the keys are two essential parts of keeping each room safe. This approach is what authentication and authorization do with mTLS, except this all happens in the digital world at an exponentially faster pace. In the cloud, dynamic or ephemeral services can come up and down very fast and need to maintain connections to provide a data mesh to users or machines. Applications in modern CI/CD workflows are being delivered by deploying code thousands of times a day on many different runtimes and platforms. The complexity can quickly become unmanageable, unless you can abstract some of this complexity away from developers and limit the cognitive load while maintaining security.
Service mesh 101
With the rising use of microservices, Kubernetes, public cloud, and hybrid computing, Site Reliability Engineers and DevOps engineers are encouraged to avoid hardcoding values into application code. Additionally, they have to ensure secure, resilient, and performant applications while reducing complexity at scale.
HashiCorp's service mesh solution Consul, enables practitioners to achieve this today by leveraging mTLS between microservices in the mesh.. Furthermore, certificates, keys, and other items in the mesh also need to be secured and managed. HashiCorp Vault can help practitioners simplify these workloads and centralize these secrets. Vault's Secrets engines provide infrastructure automation and are essential to reduce cognitive load for the teams trying to manage secrets. Luckily there are secrets management platforms today that are able to automate secrets rotation, generation, and protection, delivering a unique capability to service mesh: The ability to manage the secrets within a service mesh. An example of some of these secrets in a mesh are:
- Access control list (ACL) bootstrap token
- ACL partition token
- ACL replication token
- Enterprise license
- Gossip encryption key
- Snapshot agent config
- Server TLS credentials
- Service mesh client TLS credentials
Centralization of secrets across your environments are essential to stop a lateral attack among other vulnerabilities. Identity is the new perimeter and identity is a secret. A service mesh can contribute to the problem of secret sprawl if not properly addressed. If you're using a service mesh today you should consider the level of effort to store the secrets associated and learn how HashiCorp solutions can help ease the cognitive load while defending against emerging threats. Follow the Vault as secrets management for Consul to learn how to start defending against lateral movement.
How HashiCorp can help you prevent lateral movement with HashiCorp Vault & Consul
HashiCorp Vault (a secrets management platform) and HashiCorp Consul (a service mesh) are two good examples of integrating tools that can prevent lateral movement based on the MITRE ATT&CK Framework techniques. You can test this out and learn more at HashiCorp Developer.