The principle of least privilege can limit the attacker’s ability to easily move throughout the network. We had previously considered least privilege in terms of system access authorizations, but the principle is best applied to user account access when discussing lateral movement and privilege escalation.
Attackers often seek multiple user credential sets to gain additional access to other parts of the network. By restricting all user access to only the resources required for their daily tasks, security teams can limit what an attacker would be able to achieve with the same credentials. In addition to role-based privilege restrictions, access restrictions can also be made based on the expected context of the activity, such as restrictions on the time of day that remote access is allowed and what users from certain geographic locations are able to do.
When it comes to administration accounts and the principle of least privilege, administrators should also have a standard user account. The administration account should only be accessed for specific, required tasks with the standard account used for the bulk of daily activities.
The administration accounts should be monitored for anomalies, such as a user spending an unusually large amount of time on it. If possible, use the separation of duties and rotation principles to divide administration tasks among several accounts to limit the access that an attacker would have with one set of administrator credentials.
The principle of least privilege also applies to the network. Segment the network into logical components where trust and communication between the segments is strictly controlled. Segmenting the network is akin to creating several mini-networks under the larger network umbrella. In this sense, an attacker would need to invest the same amount of effort to compromise each segment as the initial compromise, slowing or restricting the attacker’s ability to gain access to the full environment. At the same time, defenders would have a better chance to identify the intrusion through threat hunting and other security controls.