Lateral movement refers to the techniques that a cyber attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets.
After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools.
What is Lateral Movement?
Lateral movement is a key tactic that distinguishes today’s advanced persistent threats (APTs) from simplistic cyberattacks of the past.
Lateral movement allows a threat actor to avoid detection and retain access, even if discovered on the machine that was first infected. And with a protracted dwell time, data theft might not occur until weeks or even months after the original breach.
After gaining initial access to an endpoint, such as through a phishing attack or malware infection, the attacker impersonates a legitimate user and moves through multiple systems in the network until the end goal is reached.
Attaining that objective involves gathering information about multiple systems and accounts, obtaining credentials, escalating privileges, and ultimately gaining access to the identified payload.
Common Stages of Lateral Movement
There are three main stages of lateral movement: reconnaissance, credential/privilege gathering, and gaining access to other computers in the network.
During reconnaissance, the attacker observes, explores, and maps the network, its users, and devices.
This map allows the intruder to understand host naming conventions and network hierarchies, identify operating systems, locate potential payloads and acquire intelligence to make informed moves.
Threat actors deploy a variety of tools to find out where they are located in the network, what they can get access to, and what firewalls or other deterrents are in place.
An attacker can leverage many external custom tools and open-source tools for port scanning, proxy connections, and other techniques, but employing built-in Windows or support tools offer the advantage of being harder to detect.
Credential Dumping and Privilege Escalation
To move through a network, an attacker needs valid login credentials. The term used for illegally obtaining credentials is called “credential dumping.”
One common way to obtain these credentials is to trick users into sharing them by using social engineering tactics such as typosquatting and phishing attacks. Other common techniques for stealing permissions:
Pass the Hash: An authentication method that does not require a login to the user’s password. This technique bypasses standard acquisition steps by acquiring valid password hashes which, once authenticated, allow the attacker to perform actions on local or remote systems.
Pass the Ticket: A way to authenticate using Kerberos tickets. An intruder who has compromised a domain controller can generate a Kerberos “golden ticket” offline that remains valid indefinitely and can be used to impersonate any account, even after a password reset.
Tools like Mimikatz: Used to steal cached cleartext passwords or authentication certificates from the memory of a compromised machine. They can then be used to authenticate on other machines.
Keylogging tools: Allow the attacker to acquire the password directly when an unsuspecting user enters it via the keyboard.
The process of performing internal reconnaissance and then bypassing security controls to compromise successive hosts can be repeated until the target data has been found and exfiltrated. And, as cyberattacks become more sophisticated, they often contain a strong human element.
This is particularly true for lateral movement, when an organization might be faced with moves and countermoves from an adversary. But human behavior can be detected — and intercepted — by a robust security solution.
Attacks types used
Many types of attacks use lateral movement to reach as many devices as possible or to move around the network, until a certain goal is reached. Here are some examples.
Botnet attacks: devices detected by cybercriminals can be added to a botnet. Botnets are often employed in Distributed Denial-of-Service (DDoS) attacks, but they can also be used for a number of other malicious purposes. Using lateral movement, a hacker can connect as many devices as possible to their botnet, making it stronger.
Ransomware attacks: as it is known, a ransomware is a sophisticated malware that encrypts organizational processes crucial data or personal data. After the infection has occurred, the victims receive a message informing them that a certain amount of money (ransom) must be paid to obtain the decryption key. Normally, there is also a time limit to complete the payment, otherwise the files could be lost forever. Once activated, the ransomware will severely disrupt the company’s operations, at least temporarily if you do not have an excellent data backup.
Data transfer: is the act of intentionally stealing confidential information from within an organization to the outside of the perimeter without authorization. To get the wanted data, attackers usually have to move sideways from their starting point of intrusion. Data transfer can be done through hacking, malicious software, and social engineering attacks.
Cyber espionage campaigns: cyber espionage is a common practice among opposing countries or political groups, hacker groups, and organizations everywhere, regardless of the reason. When the hacker’s intention is only surveillance, without financial gain, they will do their best to remain hidden and implanted in the network for as long as possible. It differs from a ransomware attack, in which the hacker makes known his intentions to receive the ransom.
Detecting Lateral Movement
Lateral movement is hard, if not impossible, for prevention controls to block automatically.
Early detection is an essential strategy to shut down the lateral movement. The longer time it takes to detect it, the more damage is done, resulting in far greater investigation and recovery costs.
Even if organizations collect the necessary data needed to uncover lateral movement, the traditional problem is properly using it.
Behavioral analytics is the easiest way to find lateral movement attacks. The first step is to collect and stitch together key data, including network, endpoint, cloud and identity data.
Using behavioral analytics and machine learning, security tools can profile user and device activity to identify administrators, standard users, endpoints, and servers. Analytics can also identify which users are associated with which applications and devices.
Based on this information, security tools can detect a normal user acting like an administrator, or an administration whose credentials have been misused for unexpected administrative access.
Threat actors may also compromise hosts by installing malicious code on network file shares or manipulating computer logon scripts.
Cybersecurity teams can detect these techniques by looking for credential abuse and excessive failed logins.
If multiple devices share the same credentials or if a single device logs in to network resources from distinct accounts in a short period of time, an attack may be in progress.
The user’s machine might be compromised if a normal user exhibits admin behavior, such as managing remote machines.
Mitigation and prevention
It is important that security teams are able to quickly and accurately detect lateral movements in order to prevent malicious actors from expanding their reach within an organization.
A great start, when it comes to lateral movement prevention and detection, would be a better understanding of the concept.
It is essential to know how it works and what are the first signs to recognize it. Here are some useful tips:
- Regularly update outdated software: all services, applications, operating systems and endpoints should use the latest version of the software;
- Remove systems that have not been updated: protect unpatched systems by separating them from the rest of the network, perhaps creating a massively protected DMZ from unauthorized persons;
- Filter open ports: To help protect against frequent attacks and malware infections, make sure there are no ports open without a good reason;
- Implement the principle of least privilege: in this way, users can only have access to information and perform actions they need to do their job, preventing them from obtaining additional data that does not concern them;
- Maintain proper IT hygiene: To protect yourself from lateral movement, need to make sure your organization covers the basics of network security. Usually, an attack occurs when a company has inadequate IT hygiene;
- Use unique passwords: ensure the use of passwords that are difficult to guess and secure, Single Sign-On (SSO), multi-factor authentication (MFA) and limited access protocols;
- Perform continuous backups of confidential data: the integration of a solid backup strategy for critical information, systems and apps, helps ensure business continuity in the event of a security breach;
- Detection of sophisticated threats: the identification of threats is a necessary cyber defense action (monitoring with integrated and intelligent antivirus). It refers to the process of searching through networks to discover and isolate advanced threats that bypass existing security solutions.