What is Lateral Movement?
Lateral movement is a key tactic used by advanced persistent threats (APTs). APTs are threat actors that remain inside a network for an extended period of time, during which they appear to be legitimate users. APT attacks use lateral movement to infiltrate the entire network. Usually, this type of attack is carried out by a ‘human attacker’, and targets particular users in a chosen organization.
When carrying out an attack using lateral movement, there are a number of stages that the threat actor will perform, in order to gain persistence and move deeper inside the organizational network:
The first stage of a lateral movement attack is when the attacker infects a system in the network for the first time. This may be done through the use of remote access tools that can connect to a computer desktop. Remote systems make it easy to bypass network security, and as they are often used for a legitimate purpose, their use is unlikely to raise any red flags, even if they are used for an extended amount of time. After the initial infection, the attacker will then find a way to gain initial access to the organizational network. When this has occurred, the next stage of lateral movement, reconnaissance, can begin.
During this next stage of a lateral movement attack, the attacker will gather as much intelligence as possible about the entire network being targeted. This involves a lot of exploration, inspection, and observation. The goal is to map the network in detail, identifying various aspects of it that will influence the attacker’s lateral movement strategy, such as the number and type of users, network hierarchies, naming conventions, connected devices, and operating systems.
To carry out this ‘reconnaissance’, the threat actor may use built-in system tools, such as those provided with a basic Windows operating system installation. For example – netstat, PowerShell, and IPConfig are command line tools that could be used to access information about the infected device’s network connections. As these tools are already installed on most computers, their activities are largely overlooked and assumed to be benign, making it easier for the attacker to stay under the radar, and remain untraceable. The attacker may also choose to use an external, open-source tool, although this will be easier to detect.
After gaining the required information, the attacker can plan a detailed strategy for effective lateral movement through the network.
Within the network, the most valuable and sensitive data will be well protected. The next stage of lateral movement is gaining access to this data, in order to move laterally inside the network. To gain this initial access, he threat actor may choose one of the following methods, or a combination of both:
Armed with additional privileges, the attacker can now perform a variety of malicious tasks, such as deleting or editing valuable data, viewing sensitive information, or installing viruses and malware that allow for further cyber attacks. If credentials were stolen prior to attempting access, all logins will be successful on first try, leaving no failed login attempts that would elicit suspicion.
Last but not least is the lateral movement itself. With access to many resources, the attacker can now move laterally through the network, infecting more devices and applications using remote access. As the attacker moves through the network, through servers and endpoints alike, they will continue to gather information and adapt their strategy accordingly, with the goal of eventually reaching their goal – exfiltrating the organization’s most sensitive and valuable data.
It can be difficult to detect malicious lateral movement within a network, because it is often unpredictable, and looks the same as normal network traffic, especially when carried out by a human attacker using the standard system tools that are bundled with an operating system by default. It’s important to have sophisticated prevention, detection and response solutions in place that can identify malicious lateral movement and maintain information security for the network. Here are some recommendations:
Protecting your endpoints is a simple yet crucial step towards preventing lateral movement attacks from being launched in the first place, by securing the network perimeter. Keeping system software up-to-date is also vital, as software updates often contain security patches and other features that reduce the vulnerabilities used by threat actors to gain access to a network, which is the prerequisite to lateral movement.
However, perimeter-based security solutions are not enough by themselves. If one hacker does manage to breach the perimeter, they then have free access to resources inside the network. Other security solutions are needed to prevent this lateral movement.
If login credentials, such as passwords, are not strong enough, it’s far easier for an attacker to use privilege escalation to move through a network with lateral movement, and gain access to protected resources. Ensure multi-factor authentication solutions are used for accessing applications and data. When it comes to setting up passwords, you should require strong, unique passwords that need changing often, while also monitoring the network for multiple incorrect password login attempts.
Provide every user with a standard account for everyday use. Users who require administrative rights should have an additional account with administrative privileges, which should only be used for performing administrative tasks. This makes it easier to identify suspicious administrator account usage, and harder for attackers to move laterally through a network.
Cyber threat hunting is a proactive method whereby networks are searched thoroughly and repeatedly for any trace of threats that would otherwise evade detection. As the hacker will be looking for valuable information, the pattern in which data is accessed may differ from that of a legitimate user. This can be used to search for anomalies in network behavior using statistical techniques. The threat hunter must be able to recognize known attack behaviors, and look out for new, innovative forms of attack, for best chances of success in detecting lateral movement attempts.
A zero-trust approach assumes that users inside the network cannot be trusted unless granted specific access, which helps prevent lateral movement. To achieve this, every user connected to the network should have access to only the basic resources needed for routine activities. This is a concept known as ‘least-privilege’. Any additional privileges should be on an as-needed basis, and only for the specific resources required for the current task.
Your security team should also use microsegmentation – dividing the network into many small segments, down to the level of an individual workload. Every microsegment, or similar groups of microsegments, should then be controlled using customized security policies. When coupled with least-privilege access, microsegmentation makes it extremely difficult for an attacker to move laterally, as each microsegment has its own safeguarded ‘micro-perimeter’.
Learn How a ZTNA Approach Secures Access to Apps
Lateral movement refers to the process through which hackers move laterally inside a network, after gaining initial access. Advanced detection and response solutions combine some of the above suggestions to provide protection against these lateral movement attacks. For example, a solution might use micro segmentation and least-privilege access to cloak applications, preventing lateral movement inside a network.