Responding to Lateral Movement

You just detected an adversary moving laterally in your environment. Now what? Join experts from Red Canary and Kroll to learn how to cut mean time to remediation and reduce the impact of incidents.

You will learn:

  • Lessons from a series of rapidly spreading Emotet infections
  • Critical considerations and tools for scoping, containment, and remediation
  • Trends across industries and organization sizes
  • Step-by-step response plans

Whether you’re a team of one or a dozen, you’ll walk away with a solid action plan and foundational metrics you can use to start improving your response processes today.

01:50 Presenter Introduction

03:19 Webinar Agenda

04:24 What is Lateral Movement?

08:55 How Emotet Propagates

09:35 “A lot of organizations find themselves playing catch-up with some of the best practices around having a decent antivirus product out and deployed.” – Scott

09:55 “A lot of people are still in the mode of giving local admin to everybody.” – Scott 

10:30 “The first thing Emotet is going to try to do is dump passwords on an initially infected system, and then it’s pretty short work from there to keep moving from system to system with that same admin password.” – Scott

10:55 “Think about the internal movement possibilities if someone is able to get administrator credentials and then use those open protocols.” – Scott

11:27 “You may realize that 95% of our systems are under management, the remaining 5% can just as easily get infected. And if they are not being covered with inventory tools, antivirus, or whatever other measures you have, they can continue to reinfect other systems, making it very hard to get ahead of an outbreak.” – Scott

12:39 3 Phases of Response

15:17 Phase 1: Visibility

15:34 What Data You Need

16:16 “The main things you use for process auditing are things like the command-line: what are the network connections every process is making, what are the file modifications, and any Windows registry entries and services that were created.” – Julie

16:57 Accessing The Data

17:03 “There are a number of free and paid tools. Many of which you’ve probably either heard of or worked with in your own environment.” – Julie

20:58 Phase 2: Containment

21:09 Stop Infection & C2

21:45 “There is going to be a network component where it tries to call home to its command and control to either get an update or to bring down the infection again. This can get really interesting if you have mobile workers versus corporate workers that are behind some of your other controls.” – Eric

23:32 Tools

26:28 “Some of these can be managed using active directory group policies. Some of them can be baked in with the tools you already have.” – Tony

27:40 Phase 3: Response

28:00 Undoing The Damage

29:08 “If you can limit it to a specific workstation, you really reduce the harm that one of these outbreaks can do to an organization as a whole.” – Scott

32:09 Process Tips and Tricks

33:02 “We’ve found that response tends to be more iterative. You toggle back and forth between the containment and eradication.”  – Scott

36:55 Improving Efficiency

37:58 “We’ve found that the most important thing is to know the threat, and to know what it is you’re trying to get under control.” – Julie

40:07 “I would definitely encourage you to look through the tools you already have and see where you can automate part of the process.” – Julie

40:20 Tracking Our Progress

42:07 “Automation can come down to something as simple as API calls to open a ticket.” – Phil 

44:04 What to Put in Place Today

49:12 “Before these incidents occur, understand the risk to your organization and write policies.” – Scott

51:30 Questions & Answers

51:40 Question 1: Even with Windows environments that have macOS in them, there is a potential for lateral movement around macOS machines.

51:53 “It’s still possible to move around with SMB with non-Windows machines, but it is a little bit easier to use other protocols like SSH.” – Tony

52:52 Question 2: Are there open-sourced SOAR options?

53:20 “It’s an undeveloped space for sure.” – Scott 

53:37 “There is so much possibility for them to be customized to the environment. It’s kind of odd to have that kind of customizability and that sort of support with a community option instead of having paid support and somebody paid to work 100% of their time on it.” – Tony

54:00 Question 3: We have a small security staff, but a large number of employees. Can you recommend any methods for more of an automated approach to blocking lateral movement instead of inspecting each particular use of PowerShell or something similar as an example?

54:16 “I hear ‘automated approach to blocking lateral movement’ and I think of an IPS system.” – Tony

MITRE ATT&CK Deep Dive: Lateral Movement
Lateral Movement with Secure Shell (SSH)
How an IT Service Provider and Red Canary Stopped a Malware Outbreak
Triage Planning: What Can Security Teams Learn From First Responders?
Stopping Emotet Before it Moves Laterally
Introducing Red Canary Automate, a New Security Automation Solution