Prevent lateral movement
This guide describes one of the foundational approaches to safeguard and protect against “bad actors” following the well documented MITRE ATT&CK framework (lateral movement).
Lateral movement techniques
Lateral movement is the act of moving through the environment from a compromised resource into an uncompromised one by exploiting the assumption that the former is secure. The following diagram shows the lateral movement techniques attackers commonly use to compromise systems through unauthorized means.
Common techniques include:
- Exploitation of remote services
- Internal spear phishing
- Lateral tool transfer
- Remote service session hijacking
- Remote services
- Replication through removable media
- Software deployment tools
- Taint shared content
- Use alternate authentication material
With various techniques available to anyone, you need to protect your organization with a solution that stops lateral movement through bi-directional or mutual transport layer security or (mTLS).
External resources:
Secure cloud native applications
In the traditional datacenter approach to network security, network administrators segment the network into different virtual networks (VLANs). You apply rules to each VLAN to allow access between services in different VLANs. Following this model, however, might allow a compromised system in one VLAN to access services in other VLANs without proper authentication and authorization.
In modern applications that use a cloud native approach, dynamic (or ephemeral) services come up and down often. These services need to establish secure connections and not rely on long-lived secrets or manual authentication processes.
External resources:
- Authentication vs authorization: understanding the difference
- OWASP Cloud-Native Application Security Top 10
Implement a service mesh
With the rise of cloud native practices, organizations need to ensure they have secure, resilient, and performant applications while reducing complexity at scale.
A service mesh is an infrastructure layer that manages communication between services for distributed applications. Rather than embedding networking logic directly into application code, the service mesh abstracts these concerns into a separate layer. This allows services to communicate through the mesh infrastructure without needing to understand the underlying network.
The benefits of a service mesh include enhanced observability, security, and reliability. It provides load balancing, traffic routing, and failure handling without requiring code changes. Security is strengthened through automatic mutual TLS encryption and policy enforcement. This separation of concerns allows development teams to focus on business logic while the service mesh handles operational concerns like retries, timeouts, circuit breaking, and canary deployments, ultimately reducing complexity and improving the maintainability of large-scale distributed systems.
HashiCorp's service mesh solution, Consul, enables practitioners to achieve this today by leveraging mTLS between services in the mesh.
HashiCorp resources:
External resources:
- NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture
- OWASP Microservices Security Cheat Sheet
Enable secrets management
Running a service mesh introduces its own set of challenges. Organizations need to secure, and manage the service mesh configuration and supporting resources. An example of some of these resources in a mesh are:
- Server TLS credentials
- Service mesh client TLS credentials
- Access control list (ACL) bootstrap token
- ACL partition token
- ACL replication token
- Enterprise license
- Gossip encryption key
- Snapshot agent configuration
If you're using a service mesh today you should consider the level of effort to store the secrets associated with the service mesh.
Centralization of secrets across your environments are essential to stop a lateral attack among other vulnerabilities. Identity is the new perimeter and identity is a secret. Managing multiple secrets may lead to secret sprawl.
HashiCorp Vault can help practitioners simplify these workloads and centralize these secrets. Vault's secrets engines give teams solutions for various use cases trying to manage secrets.
HashiCorp resources:
- What is "secret sprawl" and why is it harmful?
- Vault for secrets management with Consul
- Identify, prevent, and manage leaked secrets
External resources:
- NIST SP 800-63B-4: Digital Identity Guidelines: Authentication and Authenticator Management
- OWASP Secrets Management Cheat Sheet
Next steps
Preventing lateral movement is a foundational approach to securing your organization. By implementing a zero-trust model, including a service mesh and enabling secrets management, you can reduce the risk of lateral movement attacks. Consul allows your services to communicate securely and reliably, while Vault centralizes and secures your secrets management.