they can move “laterally” through a network with privileged credentials. Are there specific methods that enterprises can use to defend such privileged users?

System admins and root accounts have always been among the favorite targets of attackers because once they obtain that level of access, they can install rootkits, capture passwords, access password hashes, access all data and more. Perhaps most importantly, an attacker could gain access to an organization’s sensitive data by moving “laterally” through the network.

For those who haven’t heard the term before, moving laterally means to explore a network once access has been established. Attackers move from one system to another in search of ill-gotten gains as well as to stay one step ahead of detection. Once an attacker has full access to the network, lateral movement is hard to detect and harder to stop. Implementing a separation of duties will not thwart the attack if the compromised admin account can gain access to other admin accounts. As is often said in the world of InfoSec, an attacker getting the keys to the kingdom can mean “game over” for an organization.

Enterprises can consider taking several steps to minimize this risk, including implementing strong authentication, monitoring administrative accounts and using the least privileges necessary for managing the data and network. Employing strong authentication methods, such as two-factor authentication using a smartcard or a one-time password generator, can make it more difficult to capture passwords or forge authentication credentials. In Windows, passwords for the last 10 or more accounts that have logged in can be cached and if cracked, those passwords can be used to move laterally throughout a network as described above. Malware with keyloggers are less effective on two-factor hardware tokens because of the additional protections from the hardware design.

Monitoring administrator accounts will not stop an account from being used laterally, but it will help identify when an admin account has been compromised. For example, if an admin account only logs in on the local console, but there is a log entry for a remote login, the situation might be something to investigate further. Using the least privilege necessary is good advice not only for normal users, but also for admins. If administrators don’t need full admin access to perform their duties, they should not be using a full admin account; instead, they can be limited to just the access necessary to perform their job. For example, if an operator only needs to be able to reboot a server, but not apply patches or make configuration changes, this person would only need to be granted access to reboot the system rather than full admin access.