Posted on

How to prevent an attacker maintaining persistence through lateral movement in your network with Interguard

AWARENESSHow to prevent an attacker maintaining persistence through lateral movement in your network with Interguard

What is Lateral Movement?

After an initial device is compromised, an attacker will try to extend access to other machines in the network. Lateral movement helps an attacker maintain persistence in the network, gain control of an administrator’s machine and the privileges and data associated with it, or move closer to valuable assets up to and leading to your network’s Domain Controller.

Because attackers want to stay beneath the radar, they often avoid malware and obvious exploits that will trigger signature-based intrusion alarms. Instead, they will attempt to steal or guess passwords and then login to remote machines using standard admin tools and remote desktop apps. They may also compromise additional hosts by installing malicious code on network file shares or manipulating computer logon scripts.

IT security teams can detect lateral movement by looking for credential abuse and excessive failed logins. If multiple devices share the same credentials or if a single device logs in to network resources from distinct accounts in a short period of time, an attack may be in progress.

Admin Tools

Attackers often use administrative utilities to conduct lateral movement. Attackers use a variety of command line shells to remotely administer machines. While primarily used for lateral movement, admin tools can be used for many purposes including exfiltration and reconnaissance.

The most popular admin tool that hackers use for lateral movement 28.48% of the time is:  SecureCRT (an SSH and Telnet client ).

How can Interguard help?

Interguard’s agents are deployed onto the target device or VDI. We can set-up an application control policy to eliminate the possibility that threat actors are using SecureCRT to laterally move across your network:

Step # 1:  Search for SecureCRT

 Search for SecureCRT

Step # 2: Create a time schedule to block SecureCRT

Block SecureCRT

Step # 3: Select Block of time

 Block of time

It’s that easy!! You’ve created your policy!

In one fell swoop, you will be able to block the number #1 Admin tool threat vector that hackers use to gain credentials to your network’s Domain Controller.

Because Interguard’s agents are device-centric, you are assured that your end-point is protected and credentials are not mis-used.

For more questions, contact your Fine Tec sales rep or email us at