A Guide to Lateral Movement in Cybersecurity
When it comes to cybersecurity, it’s important to understand the tools, techniques, and thought processes of threat actors. Once adversaries have initial access to a network, lateral movement allows them to extend access and maintain persistence by compromising additional hosts in the network of their target organization. Threat actors can gather information about the company’s user activity and credentials, location of important data, and leverage methods for escalating privilege to successfully complete their attack, theft or espionage activities.
Read more below to learn about lateral movement detection, types, and how to address the threats.
What is Lateral Movement?
Lateral movement is a common tactic used by cyber attackers for pivoting throughout a network in order to gain access to sensitive and user information at their victim organization.
After threat actors gain access to a company’s network, they will typically try to gather as much information as possible about the organization through lateral movement and reconnaissance, including the location of key information, user activity, how to obtain privileges, and how to avoid detection. All this information is gathered stealthily and on as many components or devices as possible before any theft or damage is attempted.
For example, reconnaissance through lateral movement can help cyber attackers understand how sensitive data may be encrypted or exfiltrated, depending on which machines traffic the largest amount of information. It can also reveal which machines on the network may hold account or subnet data, how to escalate privileges to gain administrative or system access, or where passwords may be stored. The more time successful lateral movement is undetected, the greater the foothold threat actors have within a network.
Why Attackers Use Lateral Movement
Lateral movement can be a very effective tactic for cyber attackers to employ because it allows them to learn a great deal about the network of their victim organization. The BianLian group is a recent example of threat actors using lateral movement. Typically with lateral movement, all of the information gathered at this stage of the cyber attack can help threat actors determine the most effective way to steal from or damage the target business. It also systematically allows them to gain persistence to multiple parts of a network, which means that even if they are detected on one device, they can continue their attack in other areas.
Lateral movement typically includes:
- Network Discovery. Adversaries have an opportunity to see and understand the organization’s network, identify trust boundaries, and learn which types of users have what levels of access.
- Defense Evasion. Using this gained knowledge, cyber attackers can match their actions to typical user actions, which minimizes the chance for detection.
- Collection and Exfiltration. Threat actors use lateral movement to find their target location in order to exfiltrate the sensitive data.
- Privilege Escalation. By stealing valid credentials, threat actors can secure additional privileges at the administrative level to further infiltrate the system and achieve nefarious goals.
How Attackers Achieve Lateral Movement
Threat actors employ a variety of techniques to achieve lateral movement successfully. They include:
- Credential Access
- Exploitation of Remote Services
- Pass the Hash
- Kerberos Attacks
- Cookie Theft
- Taint Shared Content
In order to begin lateral movement activity, cyber attackers must obtain valid credentials to access an organization’s system, usually through a single device. After obtaining access, they can then move to additional machines that require the same privilege level as the original machine.
Threat actors can obtain initial privileges through credential dumping, password stores, or capturing input. Credential dumping happens when a tool such as mimikatz (an open source malware program) accesses stored credentials within an operating system. Common password storage locations such as password managers or web browsers can be tapped, and threat actors may also log keystrokes or monitor clipboards as users type or copy passwords to gain access.
Exploitation of Remote Services
Remote services are often exploited for successful lateral movement. SMB and RDP have several well-known vulnerabilities. In addition to services native to an operating system, remote access software used by IT and System Administrators can be abused and leveraged by threat actors for successful lateral movement.
Pass the Hash
This technique uses stolen password hashes, typically obtained through credential dumping, to avoid authentication controls. Threat actors do not have to crack the hashes in order to use them effectively, instead exploiting the authentication protocol.
Pass the Ticket
Very similar to Pass the Hash, Pass the Ticket is the Kerberos variety, which uses stolen Kerberos tickets to move laterally. No access to the account’s plaintext password is needed.
In order to authenticate web applications, session cookies are stolen and then replayed. This is a significant vulnerability within single sign on devices that are not managed properly.
Taint Shared Content
Threat actors who upload malicious code or compromise existing files on shared drives can successfully move laterally within the network as other users access this shared content.
Types of Attacks That Use Lateral Movement
A wide variety of cyber attacks today use lateral movement. They include but are not limited to:
- Data Exfiltration
- Botnet Infection
Possibly the most publicized and feared type of cyber attack, ransomware holds key data or network access hostage until a large sum of money is paid to the threat actors.
Lateral movement can allow these cyber attackers to infect multiple devices within a network to gain leverage over an organization. By targeting mission-critical servers, threat actors can halt a business’s daily workflow, making it impossible for employees to function or serve customers until a ransom is paid. In addition, threat actors may exfiltrate sensitive information and threaten to delete, encrypt or release the data onto the dark web if ransom terms are not met.
Because sensitive data is often stored in a guarded environment, lateral movement techniques must be used to find and access this information before it can be stolen. Once successful, threat actors can copy this sensitive data including intellectual property, customer identification or financial information and use it to damage the organization or hold it for ransom.
Although cyber attacks are most often associated with data and identity theft or ransomware assaults, they can also be used for espionage, or the act of network spying. Unlike typical attacks, threat actors involved with espionage want to remain undetected for as long as possible as they troll throughout a network.
Lateral movement allows these individuals to watch the actions of users on the network as well as collect important information about what systems are doing over time.
Lateral movement can effectively increase the number of devices that a cyber attacker can control in a botnet infection. During a botnet attack, threat actors take over multiple devices within a system and place them under their own control by using malware. Often known as distributed denial-of-service (DDoS) attacks, these violations render devices unusable by legitimate individuals through a network interruption.
Stop Lateral Movement in Its Tracks
By employing effective security controls to combat lateral movement, organizations can stop lateral movement activity before it affects their network or systems. Here are key actions to do so:
- Use two-factor authentication (2FA): This security method asks users for two forms of identification to gain access to data, helping businesses monitor and protect sensitive data and critical networks.
- Enforce least privilege: Make sure that all users can access only the level of data and resources required for their jobs and no more. Protect administrative and system access closely.
- Segment networks appropriately: Monitor trust boundaries and be sure networks are segmented to protect against lateral movement.
- Maximize existing security tools: Many organizations utilize a wide number of security appliances and tools that come with security infrastructure to detect anomalous logins. For example, utilize the conditional access policies in Azure.
- Proactively hunt for threats: Don’t get overloaded by security alerts. Invest in a security solution that provides actionable threat intelligence and hunting to minimize false positives and addresses critical issues.
- Partner with a vCISO: A vCISO, or virtual CISO, provides companies with years of cybersecurity management experience and threat defense on a part-time basis. vCISOs are great solutions for businesses that are not yet ready for a full-time CISO.
Ideally, your security team’s lateral movement detection and responses will be adhering to the 1-10-60 rule. In short, when your cyber infrastructure is attacked, it should take one minute to detect, 10 minutes to investigate and 60 minutes to address the threat.
Closing Thoughts On Lateral Movement Cybersecurity
Although lateral movement is a common and effective tactic for today’s threat actors, experienced security experts can help organizations mitigate the damage they can cause.
Cybersecurity services from [redacted] include lateral movement detection, empowering organizations to locate and eliminate attackers before they have the chance to get a foothold in their networks and giving them peace of mind. To learn more about the benefits of having an experienced cloud security team to lean on, schedule a call with us today.
Lauren serves as the Director of Incident Response and Forensics at [redacted] where she’s frequently found on the front lines, leading incident response efforts on behalf of clients. Prior to joining [redacted], Lauren worked at Los Alamos National Laboratory where she specialized in malware analysis as a member and occasional leader of the incident response team. She enjoys teaching technical content and has experience teaching malware analysis to students ranging from private sector managers to US military and everything in between. She holds a BS and MS in Computer Criminology - Computer Science and a BA in International Affairs, all from Florida State University.