Lateral movement - with a Cloud perspective

James Bromberger Posted 01 November 2019

There is a consistent theme that we are seeing across the various security briefings and meetings within the IT industry that reoccurs: lateral movement.

It’s a legitimate concern, and something that should be addressed by all organisations. However, with a Cloud perspective there is a key differentiator between existing traditional on-premises/datacentre/co-lo deployments and networking, and the Amazon Cloud environment.

If you are running virtual machines in the Amazon Web Services Elastic Compute Cloud, or AWS EC2, then you are running this within a networking contract called a Virtual Private Cloud (VPC). If it’s your first time, then you may be running this within a Default configured VPC; however, if you are experienced then your VPC may be more detailed, meeting a richer set of requirements that become apparent over time.

Lateral movement is when an exploited host is used as an asset to move sideways in your network to the next host, as an attacker looks to disrupt, copy, extract or otherwise interfere in your operations.

Your typical enterprise VPC is most likely connected to your office location via VPNs or possibly fibre, and your VPC-deployed workload may be offering services to your internal office network. With that connectivity in place, your lateral movement vector could be from on-premise to in cloud, or vice-versa.

Traditionally, your office network is often done on shared segments of networks. There can be several systems connected to the same ethernet switch, or the same Wi-Fi access point. Those networks connect to routers or firewalls, which police the boundary of that shared segment, but do nothing for the security of the individual assets sitting alongside each other in the same network segment.

The granularity of the firewall is often the shared network segment. In the AWS environment, that granularity is not the same; two hosts sitting in the same logical network segment (a subnet) may be members of two completely different Security Groups. A Security Group is a Stateful firewall, meaning that you only need to define the incoming or outgoing service that you wish to permit, and the return traffic for that connection is automatically matched and permitted (the alternate is a Network ACL, which requires both the outbound and inbound packets to be permitted to connect as two separate policies).

Your EC2-deployed resources, which include Virtual Machines (EC2), managed databases (RDS), managed Load Balancers (ELB/ALB/NLB), managed cache services (ElasticCache), VPC-attached serverless Lambda functions and more, also have Network Interfaces (ENIs) that are present within your Virtual Private Cloud network, and each must be a member of one or more Security Groups.

With every VPC, there is a Security Group called “Default”, and its initial configuration is to permit no traffic inbound, but to permit all outbound traffic. As a recommendation do not modify any inbound rules for this default. Any service you deploy should have a carefully thought-out connectivity plan, and not left to a generic default. If you find services using a Security Group called “Default”, or “launch-wizard-nnnn”, then that’s evidence that your deployment needs attention to ensure the appropriateness of the network security. In addition, with this Default Security Group, it permits all egress (outbound). Therefore, change the default to permit nothing outbound. If this group were to be accidentally used as a resource, then it should not add any ability for either inbound or outbound traffic.

We deep dive into this in more detail in our latest white paper Cyber Security: restricting lateral movement in the AWS Cloud. Download your copy today.

Modis Australia | Feature Image | Cyber Security: restricting lateral movement in the AWS Cloud

Download your copy

Connecting your Virtual Private Cloud Environment(s) to your existing corporate network topology takes capability and understanding.

Find out more

Modis offers a managed services approach by two approaches: with our staff physically embedded within the customer environment, or centrally from the Modis Service Centre.

Find out more

Modis has significant experience in migrating legacy Commercial-Off-The-Shelf (COTS) software for x86 architectures and deploying them in the AWS Cloud.

Find out more

Modis has a long and rich history of enterprise application development.

Find out more

We've worked extensively with government agencies in migrating their core operations to the AWS Cloud.

Find out more

Our team are experts in designing, reviewing and tuning security at different layers of the technology stack.

Find out more

Local storage is limited, costly, and requires maintenance.

Find out more
Find out how Modis can provide you with innovative AWS cloud based solutions and servicesModis has been an AWS Advanced Tier Partner since 2014. Modis' AWS Cloud Consulting services encompasses fundamentals of cyber security, fault tolerant digital system architecture, modernisation, traditional virtual machine or through to modern Serverless approaches, commercial off-the-shelf software operation to bespoke software development, delivered with high throughput, repeatable DevOps approaches to operations. With over half a decade of running critical authoritative government data sets that affects the lives of millions of citizens and the economies of the state, Modis has one of the most mature, experienced and recognised consulting service providers in the world. More importantly, we like to work very closely with our customers, not providing something to purchase, but taking a deep understanding of their business, and providing the recommendations and implementations to ensure a modern, efficient, reliable and secure environment for digital business systems.Contact us
We operate around the world. Would you like to find out more about your local office?Find out about Modis