How to stop attackers from moving laterally through your network

Share post:

One of the most important goals in every threat actor’s plans is to move laterally through a victim’s network after it has been initially compromised.

Some attackers may be satisfied with compromising one device — and if they get lucky, it may be the only one they need. But usually attackers want to move around, and up, to get administrative privileges to an entire network.

This means stopping lateral movement is a prime defensive tactic for infosec leaders.

In a column this week, Microsoft explained how, using its tools, lateral movement can be blunted. While the advice is good for shops that only use Microsoft tools, administrators should also be able to figure out how other applications in their environment could be leveraged.

The authors suggest starting by segmenting privileged domain accounts into three tiers in the directory: Tier 0 for all accounts and servers that are either domain administrators or have a direct path to domain administrator privileges; Tier 1 for business-critical applications (file shares, application servers, and database servers); and Tier 2, for normal user workstations and standard user accounts.

Creating separate tiers cuts off lateral movement from a standard user workstation to an application server or domain controller, the blog notes. That way, if a standard user account’s machine is compromised and password hashes are obtained by an attacker, there will be no movement path toward more sensitive accounts and servers.

The different tiers must be completely segregated from each other. In Windows Active Directory, this can be accomplished by creating Group Policy Objects (GPOs) that deny signing in across tiers. No account can be allowed to cross the tier boundaries. For example, the authors say, an administrator on Tier 0 should be denied access to a Tier 1 or Tier 2 machine. If credentials are exposed to another tier, the password must be reset for that account.

For even greater security, those with privileged accounts should be forced to log in through a dedicated privileged access workstation (PAW). Because an account in one tier can only sign in to computers in the same tier, users with more than one account in the domain would have to use separate computers. A Tier 0 user should use a PAW to access only Tier 0 assets. That user would also have to login through a different computer for checking their email or using productivity applications (a Tier 2 activity).

Step two is controlling local accounts with admin privileges, and step three is stopping the ability of one computer to connect to another through a firewall configuration. The column details how this is done with Microsoft Defender tools, but they should be adaptable to other tools.

The full blog can be read here.

The post How to stop attackers from moving laterally through your network first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways