To build the best defense, know which attack is which

Cyber criminals seeking to plunder your environment use two approaches -- know the difference to become a better defender

As you mount your defense against the bad guys, it's important to make the distinction between the two major types of attack: the initial compromise and movement.

The initial compromise is simply the break-in. Movement, however, can be in two different "directions": horizontal or vertical. Moving horizontally means the attacker is shifting between similar roles of computers (client to client, server to server); vertical movement means the attack is manuevering between different roles (client to server to domain controller).

[ 6 hard-earned lessons learned about advanced persistent threats | It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

After the initial compromise, the attacker doesn't necessarily need to move. But movement is fairly common among today's sophisticated attackers. Even malware is on the move, often infiltrating other drive shares and computers and attempting to guess additional passwords.

It's important to recognize the distinction between these attacks and plan accordingly. It's far more vital to try and prevent the initial compromise, of course, but you obviously also want to slow down or prevent movement.

Traditionally, computer attacks are described by the method used, such as password attack, eavesdropping, session compromise, and so on. But you need to examine these threats in light of how they're most likely to be used.

For example, with password attacks, outright password guessing is most useful for initial compromises. Alternately, using and abusing password hashes is far more likely to be successful for additional movement after the original compromise. Social engineering is mostly an initial compromise technique, whereas keylogging is for moving around. Some hacking techniques can be used in both types of attacks; session hijacking, for example, can be used for the initial compromise, but often demands already acquired insider access to accomplish.

Stopping initial compromises should be your top goal. Talk to successful penetration testers and they'll tell you that once they have initial access, the rest is gravy. Getting that first access is most stressful for hackers, but once they're acquired, it's usually pretty easy to move laterally and vertically, get the keys to the kingdom, and pwn the environment.

Understanding the two major types of attacks will make you a better defender. For example, right now most of the security world is very concerned about pass-the-hash (PtH) attacks, where the attacker gains access to intermediate credential representations and uses them to move throughout the environment. We can't ignore PtH attacks; every sophisticated attacker is using them.

But focusing on movement might make you lose sight of the bigger problem. In order to accomplish PtH attacks, the attacker must have already gained initial, superelevated, authenticated access. In Microsoft Windows, the attacker must already be local Administrator or Domain Administrator (on a domain controller) in order to access the password hashes or Kerberos tickets. Once they have that sort of privileged access, what can't they do?

There are now tools and techniques to substantially decrease the risk of PtH attacks, raising the possibility that in the next few years, we will defeat them. That won't stop attackers in the slightest -- they already have very privileged access. If we take away PtH attacks, they'll turn to other options, such as key logging, to get the access they need.

If we're going to minimize malicious hacking over the long term, we need to focus more on stopping initial compromises, because different types of movement attacks will develop as the attackers need them. Shut down one movement attack and they will invent another. It's computer security evolution.

But initial compromises don't change all that much. Malware, social engineering, password guessing, and buffer overflows have been around for decades. Minimize initial compromises and you'll do more to lower your risk.

The best step you can take in your environment to stop initial compromises is to better patch your software and prevent social engineering. The best way to stop movement is to separate your networks (logically or physically) and minimize credential reuse between systems.

Everything else is relatively minor compared to these two defenses in each of the attack types. Focus, focus, focus.

This story, "To build the best defense, know which attack is which," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at For the latest business technology news, follow on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies