OpenVPN Cloud is now CloudConnexa® — learn more here.
In today's threat landscape, attackers increasingly use lateral movement to gain access to sensitive data and systems with the potential to cause enormous damage. Consider these recent statistics:
Lateral movement is a technique attackers use to move from one device or system to another within a network. This can allow them to access sensitive data or systems they otherwise would not be able to reach — and enables the attacker to spread malware, steal data, or disrupt operations.
An attack using lateral movement paths (LMPs) typically has three phases:
After gaining network access, an attacker observes and maps the network structure, users, and devices. Doing so allows the attacker to identify operating systems, firewalls, and host naming conventions and hierarchies. With this information, they can begin developing a strategy for their impending attack.
Attackers will use social engineering tactics to engage in what’s called credential dumping (stealing credentials) with the goal of gaining access to a series of devices, one after the other, escalating the attacker’s network privileges along the way.
With access to stolen login credentials and escalated network privileges, an attacker can impersonate a user and gain what would appear to be “legitimate” access to additional hosts and servers, reaching farther and farther into the infiltrated network.
This sort of lateral movement enables attackers to maintain a persistent network presence across multiple users and devices. So even if a security team is able to identify a compromised device, the attacker still maintains a presence via other devices, making it exponentially more difficult for the security team to eradicate the attacker from the entire network.
Quickly identifying and addressing lateral movement in your network is absolutely critical. A 2023 CrowdStrike report found the average breakout time (how long it takes attackers to move from initial access to lateral movement) to be a mere 118 minutes. Security teams have to move faster than ever to mitigate the damage.
You can take several steps to help your team prepare for an attack and protect your business:
Attackers use many techniques to exploit LMPs. Some of the most common techniques include:
Zero Trust Network Access (ZTNA) is a security approach that assumes that any device or user could be compromised. This means that ZTNA does not grant access to the entire network but instead grants access to specific applications or data.
ZTNA can stop lateral movement in several ways.
First, it can prevent attackers from using stolen credentials to access systems. ZTNA requires users to authenticate with multi-factor authentication (MFA) or other strong authentication methods. This makes it more difficult for attackers to steal credentials.
Second, ZTNA can prevent attackers from exploiting vulnerabilities. ZTNA uses micro-segmentation to create smaller, more secure zones within a network. This makes it more difficult for attackers to exploit vulnerabilities and move laterally within a network.
A common misconception about remote-access VPNs is that, once connected, a user’s device becomes part of the network and gains access to the entire network. Therefore, the assumption is that using a VPN increases the risk of lateral movement. Some in our industry use this argument to garner support for alternative remote-access technologies that facilitate application connectivity without providing complete layer-3 connectivity (i.e. identity-aware proxies).
In reality, zero trust and VPNs are not mutually exclusive. In fact, using a VPN facilitates much stronger controls against lateral movement precisely because it is a network-layer connectivity technology. Modern VPN solutions come with an identity-based access control capability. You can provide least privilege access to needed applications by configuring identity-aware access control policies to specific network segments at the protocol and port granularity. Therefore, the attacker is restricted at the network level and cannot use common techniques to move laterally. Thanks to access control policy enforcement, the VPN will simply drop the attack packets. However, it’s important to note that if you rely solely on application-level controls, an attacker could still move laterally to access systems with an exposed application vulnerability.
As always, a minimum essential set of multiple controls provides better protection than just one control. In addition to enforcing ZTNA, you can significantly reduce the risk of lateral movement attacks in your organization by implementing various approaches (noted below).
CloudConnexa, a cloud-delivered ZTNA service from OpenVPN, uses a novel approach that separates application-layer routing from IP routing. Cloud Connexa only opens up a communication path to the destination through an intermediary IP address if the user tries to access an authorized application. To gain access to an application, users must use the domain name associated with the authorized application. This means that the IP address range of the private network hosting the application or the private IP address of the application server is not revealed, and access to other communication paths on the network is restricted. The attacker cannot use IP addresses to scan the private network or try to infect any other devices on it; Cloud Connexa is designed to reject packets sent directly to the IP address of the private network.
In addition to the above, Cloud Connexa provides businesses with the following protections:
OpenVPN® is the market-proven leader in secure virtualized networking. Our cloud-based platform enables organizations to maintain secure communication between their distributed workforce, IoT/IIoT devices, and the online services they rely on daily. Built on the market-proven OpenVPN protocol, the solution combines advanced network security, encrypted remote access, and content filtering into a virtualized secure network that provides the best of VPN and ZTNA security.
With over 60 million downloads of our core open-source software and over 20,000 commercial customers, OpenVPN is recognized as a global leader in secure networking.
Ready to take your business to the next level with CloudConnexa? Work from anywhere and from any device with confidence. Create an account today for three free connections and the secure network connectivity your business needs.