Well-Architected Framework
Prevent lateral movement
Providing access to infrastructure resources is inevitable. With the proper guardrails, as discussed in secure human access to infrastructure, you can reduce the risk of unauthorized access. However, if an attacker gains access to one resource, they may attempt to move laterally through your environment to compromise additional resources.
What is lateral movement?
Lateral movement is the act of moving through the environment from a compromised resource into an uncompromised resource by exploiting the assumption that the compromised resource is secure.
The MITRE ATT&CK framework provides an overview of lateral movement techniques that you can use to secure your infrastructure.
The following diagram shows the lateral movement techniques attackers commonly use to compromise systems through unauthorized means.
Common techniques include:
- Exploitation of remote services
- Internal spear phishing
- Lateral tool transfer
- Remote service session hijacking
- Remote services
- Replication through removable media
- Software deployment tools
- Taint shared content
- Use alternate authentication material
With various techniques available to anyone, you need to protect your organization with a solution that stops lateral movement through bi-directional or mutual transport layer security (mTLS).
Secure cloud native applications
In the traditional datacenter approach to network security, network administrators segment the network into different virtual networks (VLANs). You apply rules to each VLAN to allow access between services in different VLANs. Following this model, however, might allow a compromised system in one VLAN to access services in other VLANs without proper authentication and authorization.
Modern infrastructure and applications that use a cloud native approach, dynamic services come up and down often. These services need to establish secure connections and not rely on long-lived secrets or manual authentication processes.
Prevent lateral movement with Consul service mesh
HashiCorp Consul enables you to secure communication between systems by leveraging mTLS between systems in the service mesh.
A service mesh is an infrastructure layer that manages communication between services for distributed applications. Rather than embedding networking logic directly into application code, the service mesh abstracts these concerns into a separate layer. This allows services to communicate through the mesh infrastructure without needing to understand the underlying network.
The benefits of a service mesh include enhanced observability, security, and reliability. It provides load balancing, traffic routing, and failure handling without requiring code changes. Security is strengthened through automatic mutual TLS encryption and policy enforcement. This separation of concerns allows development teams to focus on business logic while the service mesh handles operational concerns like retries, timeouts, circuit breaking, and canary deployments, ultimately reducing complexity and improving the maintainability of large-scale distributed systems.
Centralize secrets management with Vault
Running a service mesh introduces its own set of challenges. Organizations need to secure and manage the service mesh configuration and supporting resources. An example of some of these resources in a mesh are:
- Server TLS credentials
- Service mesh client TLS credentials
- Access control list (ACL) bootstrap token
- ACL partition token
- ACL replication token
- Enterprise license
- Gossip encryption key
- Snapshot agent configuration
If you're using a service mesh today, consider the level of effort to store the secrets associated with the service mesh.
Centralization of secrets across your environments is essential to stop a lateral attack, among other vulnerabilities. Identity is the new perimeter, and identity is a secret. Managing multiple secrets may lead to secret sprawl.
HashiCorp Vault can help practitioners simplify these workloads and centralize these secrets. Vault's secrets engines give teams solutions for various use cases trying to manage secrets.
HashiCorp resources:
- What is Consul?
- Consul service mesh
- Consul service mesh in production with Nomad
- What is "secret sprawl" and why is it harmful?
- Vault for secrets management with Consul
- Identify, prevent, and manage leaked secrets
External resources:
- What is the MITRE ATT&CK framework?
- Authentication vs authorization: understanding the difference
- OWASP Cloud-Native Application Security Top 10
- NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture
- OWASP Microservices Security Cheat Sheet
- NIST SP 800-63B-4: Digital Identity Guidelines: Authentication and Authenticator Management
- OWASP Secrets Management Cheat Sheet
Next steps
In this section of how to Secure infrastructure, you learned why it is important to secure infrastructure against lateral movement attacks. Unmanaged traffic creates risks for your company's security programs, leading to leaked secrets, or unauthorized access to data. Prevent lateral movement is part of the Secure systems pillar.
Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation for your organization's security program.