To build the best defense, know which attack is which

Roger A. Grimes

As you mount your defense against the bad guys, it's important to make the distinction between the two major types of attack: the initial compromise and movement.

The initial compromise is simply the break-in. Movement, however, can be in two different "directions": horizontal or vertical. Moving horizontally means the attacker is shifting between similar roles of computers (client to client, server to server); vertical movement means the attack is manuevering between different roles (client to server to domain controller).

After the initial compromise, the attacker doesn't necessarily need to move. But movement is fairly common among today's sophisticated attackers. Even malware is on the move, often infiltrating other drive shares and computers and attempting to guess additional passwords.

It's important to recognize the distinction between these attacks and plan accordingly. It's far more vital to try and prevent the initial compromise, of course, but you obviously also want to slow down or prevent movement.

Traditionally, computer attacks are described by the method used, such as password attack, eavesdropping, session compromise, and so on. But you need to examine these threats in light of how they're most likely to be used.

For example, with password attacks, outright password guessing is most useful for initial compromises. Alternately, using and abusing password hashes is far more likely to be successful for additional movement after the original compromise. Social engineering is mostly an initial compromise technique, whereas keylogging is for moving around. Some hacking techniques can be used in both types of attacks; session hijacking, for example, can be used for the initial compromise, but often demands already acquired insider access to accomplish.

Stopping initial compromises should be your top goal. Talk to successful penetration testers and they'll tell you that once they have initial access, the rest is gravy. Getting that first access is most stressful for hackers, but once they're acquired, it's usually pretty easy to move laterally and vertically, get the keys to the kingdom, and pwn the environment.

Understanding the two major types of attacks will make you a better defender. For example, right now most of the security world is very concerned about pass-the-hash (PtH) attacks, where the attacker gains access to intermediate credential representations and uses them to move throughout the environment. We can't ignore PtH attacks; every sophisticated attacker is using them.

But focusing on movement might make you lose sight of the bigger problem. In order to accomplish PtH attacks, the attacker must have already gained initial, superelevated, authenticated access. In Microsoft Windows, the attacker must already be local Administrator or Domain Administrator (on a domain controller) in order to access the password hashes or Kerberos tickets. Once they have that sort of privileged access, what can't they do?

1  2  Next Page