Security for IT Pros

Security Best Practice Guidance to Disrupt Lateral Movement

Credential harvesting and reuse in the form of lateral movement within a domain is a well-known technique amongst security defenders and hackers alike. Recently, we have seen new threats building on these age old tactics to build new sophisticated multi-threaded pieces of automation that present greater risks to customers once a piece of malware compromises a host on a network. Based on these learnings from these incidents, we want to highlight a few resources to help customers prevent or disrupt credential harvesting and lateral movement. As always, we recommend customers install the latest updates available, but as evidenced in the latest incidents, a defense-in-depth strategy is the best protection against modern malware.

Protecting against stealing credentials or re-using active sessions:

1. Credential Guard in Windows 10 and Server 2016 provides next-generation protection for secrets and credentials.
2. Securing Privileged Access provides an overview and possible roadmap to mitigate against credential harvesting.
3. The free Local Administrator Password Solution is a good option for reducing the risk, and complexity, associated with domain credentials.

Execution of Payloads

1. Device Guard in Windows 10 and Server 2016 will lock a device so that it can only run trusted applications that you define in your code integrity policies.
2. AppLocker restricts the applications that users can run in your network.
3. Legitimate tools like the Windows Management Instrumentation can have access control lists to minimize illegitimate use.

Security Blogs

• The Microsoft Security Response Center (MSRC)
• Security Research and Defense
• Microsoft Malware Protection Center
• Microsoft Security Guidance
• Technical Roll-up - Security
• Microsoft Secure Blog