Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 14 subscribers
  • Views 3775 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lateral Movement Protection conditions

StevenSultana

Hi community,

I have been running some tests for lateral movement protection, and tried to reach its limitations. I'd like to share my results, and maybe you may have results of different cases that I did not think of.
In order to test, I turned off the Network Threat Protection service from the Windows services.msc app. This turns the status of the endpoint to Red.
Endpoints 1-3 have a Threat Prevention policy which includes self-isolation.

This is the network diagram:

Endpoint 2 was set to have a red status.
All traffic to/from Endpoint 3 was blocked.
UDP/TCP traffic to/from Server was blocked. ICMP traffic was allowed.
All traffic to/from Endpoint 1 was permitted (firewall did not have any restrictions).
UDP/TCP traffic to the Internet was blocked. ICMP traffic was allowed.

What do you think? Are these the results you would have expected?

Cheers,
Steven.



This thread was automatically locked due to age.
Parents

  • It was my understanding that the device in red would be separated from the rest by means of-

    The device in question set to isolate Endpoint 2 would essentially isolate all traffic within

    End Points 1, 3 & the server isolating themselves from Endpoint 2 or denying all traffic from endpoint 2

    The firewall isolating Endpoint 2 from the internet and other segments and devices as well.

     

    Or am I not understanding this correctly?

    Respectfully, 

     

    Badrobot

     

Reply

  • It was my understanding that the device in red would be separated from the rest by means of-

    The device in question set to isolate Endpoint 2 would essentially isolate all traffic within

    End Points 1, 3 & the server isolating themselves from Endpoint 2 or denying all traffic from endpoint 2

    The firewall isolating Endpoint 2 from the internet and other segments and devices as well.

     

    Or am I not understanding this correctly?

    Respectfully, 

     

    Badrobot

     

Children
No Data
Unfiltered HTML