IS Decisions logo

Prevent lateral movement with multi-factor authentication (MFA)

Prevent lateral movement in your network with zero trust access security measures including multi-factor authentication (MFA), access controls, and privileged access management.

Updated December 5, 2024
Prevent lateral movement

Lateral movement poses a significant threat to Active Directory (AD) security. Attackers try to move laterally through networks to elevate privileges and expand their access, obtain remote code execution, and explore the network unnoticed. Here's how UserLock's multi-factor authentication (MFA) and access controls help prevent lateral movement from common identity-based threats that impact all user accounts, not just privileged ones.

With UserLock, you can secure employee access to corporate networks and cloud apps with effective MFA, single sign-on (SSO), contextual access controls, and session management, stopping unauthorized Active Directory logins. UserLock MFA also extends beyond the logon to protect non-interactive sessions with the ability to apply MFA on user account control (UAC) prompts displayed during administrative tasks (e.g., disabling a firewall) and "run as administrator" requests.

Understanding lateral movement in Active Directory

Let’s discuss lateral movement and its implications for Active Directory security.

What is lateral movement?

Lateral movement describes cyber attackers' techniques to progressively move through a network, searching for valuable data and assets. After gaining initial access, usually via a weak or compromised endpoint, the attacker navigates through the network, hopping from one system to another.

Through lateral movement, threat actors can often avoid detection and retain access, even if the initial breach is detected. Data theft might not occur until weeks or months after the original breach.

On average, it takes 207 days to identify a breach.

While impersonating a legitimate user, the attacker gathers information about systems and accounts, obtains credentials, escalates privileges, and ultimately accesses the identified payload. Zero trust access security and privileged access management can help prevent lateral movement.

The risks of lateral movement

Lateral movement indicates an attacker has breached an organization's outer defenses and is operating freely within the network. The risks include:

Financial losses

  • Intellectual property (IP) theft can lead to loss of competitive advantage and future revenue streams.

  • Remediation costs can be substantial, including forensic investigations, system restoration, and potential ransom payments.

  • Costs associated with notifying affected parties and providing credit monitoring services in case of data breaches.

Reputational damage

  • Immediate negative publicity can lead to a sharp decline in stock prices for public companies.

  • Loss of customer trust can result in reduced sales and difficulty attracting new customers.

  • Damage to brand image can persist long after the incident, affecting future growth prospects.

Understanding these risks highlights the importance of recognizing and preventing lateral movement.

Common techniques used in lateral movement

Attackers employ various techniques to move laterally and escalate privileges:

  • LDAP reconnaissance: Querying directory services to map out high-value targets.

  • Pass-the-Hash attacks: Stealing elevated-privilege user passwords via network interception or malware.

  • Kerberoasting: Exploiting Kerberos to steal service account credentials.

  • Abusing weak configurations: Taking advantage of poorly configured systems.

  • Leveraging RDP: Using remote desktop tools to access multiple systems.

Implementing MFA to prevent lateral movement

Multi-factor authentication (MFA) can be a powerful countermeasure against lateral movement threats.

Why MFA is crucial to preventing lateral movement

Lateral movement typically begins with compromising credentials, often those of non-admin accounts. MFA stops this initial breach by adding an extra layer of security beyond usernames and passwords.

And beyond the logon, MFA also helps prevent lateral movement by stopping attackers (or insider threats) from exploiting unauthorized Active Directory access. It keeps them from moving across the network, elevating privileges, deploying ransomware or malware, and stealing data.

Implementing MFA with UserLock

MFA for privilege elevation requests and lateral movement prevention is possible with UserLock's MFA on UAC prompts displayed during administrative tasks and "run as administrator" requests, available in UserLock 12.2.

With UserLock you can ensure:

  1. MFA on all user accounts, not just admin accounts: UserLock's granular MFA allows you to implement MFA that your team can live with, putting you in control of how often to apply MFA with granular policies by:

    • AD users, groups, or OUs

    • Frequency (every n minutes/hours/days)

    • Connection type (remote, from outside the LAN, on the LAN)

    • Session type (Workstation, Wifi, IIS, RDP, VPN, SaaS, UAC)

    This ability to granularly apply MFA makes it simple to reap the security benefits of deploying MFA across all user accounts, strengthening your organizations' resilience to today's attack methods.

  2. Enhanced MFA for admin accounts: UserLock offers granular MFA settings, allowing more frequent authentication for admins alongside the ability to opt for more secure MFA methods like YubiKey or Token2. Combine this with contextual access and role-based restrictions to ensure only authorized users can attempt to log in.

  3. MFA on requests to elevate privileges: UserLock's MFA on UAC prompts displayed as administrative tasks and "run as administrator" requests help you to:

    • Reinforce privileged access management (PAM) security by blocking privilege abuse

    • Prevent lateral movement

    • Meet cyber insurance requirements for MFA on all admin access

  4. Granular control over MFA policies: Other MFA providers do not often offer this level of control. They may only allow machine-level UAC MFA or show UAC request MFA as an RDP event.

Implementing MFA on these privilege elevation requests can significantly strengthen your Active Directory security against common identity-based threats and prevent lateral movement.

Strengthen access controls to prevent lateral movement

While MFA is a tool to prevent lateral movement, it's not the only security layer in your toolbox. Using MFA in combination with other access control measures hardens Active Directory security against external and insider threats. Here are a few of the most common ways to do that.

Apply the principle of least privilege

The principle of least privilege (PoLP) maintains that users or entities should only have access to the specific data, resources, and applications needed for their required tasks.

Following PoLP reduces the attack surface and risk of malware spread, helping prevent lateral movement. PoLP is a fundamental pillar of zero trust network access (ZTNA) 2.0, enabling fine-grained access control based on accurately identifying applications and specific functions across all ports and protocols.

It eliminates the need for administrators to think about network constructs and enables comprehensive least-privileged access implementation.

Use role-based access control (RBAC)

Role-based access control (RBAC) assigns permissions to users based on their organizational roles, offering a manageable approach to access management that's less error-prone (and time-consuming) than individual user permissions.

RBAC groups users into roles based on common responsibilities and assigns permissions to those roles. The user-role and role-permissions relationships simplify user assignments by managing privileges through role permissions rather than individually.

RBAC tool designations can include:

  • Management role scope: limits objects the role group can manage

  • Management role group: allows adding and removing members

  • Management role: defines tasks a specific role group can perform

  • Management role assignment: links a role to a role group

Managing privileged access

A privileged access management (PAM) system controls elevated access and permissions across an IT environment. Right-sizing privileged access controls through PAM minimizes attack surface and helps prevent lateral movement by mitigating damage from external attacks and insider threats.

Enforcing least privilege is a central goal of PAM. It restricts access rights and permissions for users, accounts, applications, systems, devices, and processes to the minimum necessary for authorized activities.

Real-world examples and best practices

A recent high-profile breach shows the consequences of inadequate security controls and the importance of implementing best practices.

The Change Healthcare breach

In February, the ALPHV/BlackCat ransomware gang hacked Change Healthcare, disrupting operations, exfiltrating up to 4TB of sensitive data, and reportedly receiving a $22 million ransom payment. Change Healthcare, central to 15 billion transactions and $1.5 trillion in healthcare claims annually, had to shut down key operations and had difficulties getting systems back online.

On February 12, BlackCat used compromised credentials to access a Change Healthcare Citrix portal lacking multi-factor authentication. Nine days later, after moving laterally through the system to exfiltrate data, they deployed ransomware, encrypting and rendering Change's systems inaccessible.

An American Medical Association survey found that 80% of clinicians lost revenue due to the breach, and 77% experienced service disruptions. 55% of practice owners used personal funds for bills and payroll. Other disruptions included the limited ability to approve prescriptions and procedures.

Best practices for lateral movement monitoring and detection

Here are some of the IT security best practices for organizations to detect and prevent lateral movement:

  1. Choose tools that combine security and visibility: With UserLock, you can report on admin actions and UAC events, providing visibility into admin account access attempts, privileged actions, and requests to elevate privileges across the network. Set specific MFA policies on these requests, specifying frequency and circumstances.

  2. Audit security hygiene: Ensure consistent application of fundamental network security practices across users, applications, networks, and endpoints to maintain a robust security posture and prevent lateral movement.

  3. Use network segmentation: Employ network segmentation with access controls and firewalls to restrict lateral movement between segments and limit the impact of an attacker's progression.

  4. Stay up-to-date on threat intelligence and indicators of compromise (IOC): Stay updated on the latest threat intelligence feeds and indicators of compromise (IOCs) to identify known lateral movement techniques and enhance detection capabilities.

Your roadmap to robust network security

Once you understand lateral movement and how to prevent it, you can better evaluate the often-confusing variety of security solutions and chart the course for your organization's Active Directory security.

Zero trust access security and lateral movement prevention

A zero trust security framework advocates for security measures that prevent lateral movement. These include following the principle of least privilege, auditing security hygiene, implementing MFA, requiring strong passwords, and creating shared policies. All together, these security layers make it harder for intruders to access, and move throughout, the network.

A zero-trust access security strategy also puts the focus on granular access controls and privileged access management, creating a comprehensive approach to prevent lateral movement and protect against identity-based threats.

Read more: A guide to zero trust for MSPs

Prevent lateral movement with UserLock

With UserLock, you can put multi-layered security on all employee access to corporate networks and cloud applications, whether employees are on-site or remote. UserLock's 360-degree access security secures the logon with straightforward MFA, SSO, contextual access controls, and session management.

Easy to deploy and use, UserLock scales easily for any number of users. It's also one of the few IAM solutions purpose-built for on-premise Active Directory and syncs every 5 minutes.

Thanks to granular controls, you can set MFA policies that hit the right balance between security and productivity for your team.

Now, with UserLock 12.2 you can extend that same MFA protection to privilege elevation requests.

XFacebookLinkedIn
francois-amigorena-headshot
François AmigorenaPresident and CEO of IS Decisions

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial