Lateral Movement: Legitimate Activity or Real Threat?
By Infogressive Team | March 19, 2019
A good disguise can go a long way.
Concealing your real identity and priorities can get you far, especially in cybersecurity.
When an attacker is disguised as a legitimate user, it’s harder to detect their presence, often until it’s too late. This is most evident during the cyberattack stage of lateral movement. To fight an attack at this stage, it’s important to know the objectives of lateral movement and ways to prevent an intruder’s attack from spreading.
What is lateral movement?
Lateral movement is the technique attackers use to move throughout a network, searching for information, company secrets, or credentials. It’s a pivotal stage in the cyberattack lifecycle as the attacker looks for their ultimate target or for additional ways to gain access to it.
This is where the attacker navigates sideways, penetrating deeper into the network, digging around for credentials or data. In order to maintain their persistence on the network and gain higher privileges, they have to make their move throughout the network. Their methods become difficult to detect as they use tools typically used by administrators.
What is the objective of lateral movement?
As the attacker moves deeper and laterally within the system, they often have a number of objectives they hope to accomplish with their lateral movement.
Most attackers do in-depth reconnaissance before the attack ever takes place, but once a hacker has found an entry point on the system, they use lateral movement to gain additional information. This could be a network hierarchy or detailed information on the operating system. They might also check naming conventions to help them identify what assets to target in their attack.
This information can help them plan their next move, or help them know what steps to take next in their already-planned attack. They can also find the ports necessary to make a connection between the compromised network and their home base, obtaining command and control of the system.
Another purpose of lateral movement is to escalate privileges to gain additional access to other areas on the network they need to complete their attack. Whether that’s done through password authentication tools or brute force, once the attacker has higher privileges, they are quick to move to new areas on the system.
Remote access to other tools or computers
Lateral movement can also be used to access additional tools or computers on the network. This objective of lateral movement can also help an attacker launch command and control, using control of both sides of the connection to pass data back and forth between the impacted network and their offline system. Because many remote access tools are used by IT teams, this activity won’t necessarily trigger any warning signs.
4 Ways to Minimize Lateral Movement
“Lateral movement actions often eschew malware in favor of stealing or reusing a valid user’s credentials…impersonating a valid user gives attackers a quieter and subtler way to spread through a network than directly exploiting multiple machines…it’s critically important for security professionals to build up the internal network intelligence that can recognize the tell-tale signs when credentials are abused or abnormally used.” –Wade Williamson in Security Week
Whether lateral movement seeks to increase access through user credentials or by installing additional malware on the system, there are security tools and strategies that can help detect this movement and mitigate the harm.
1. Endpoint Security and Detection
Increasing the security of your endpoints should be a top priority to fight potential attacks. But if that security fails or an employee unknowingly gives data to an attacker, it’s critical to have a plan in place to detect the foreign activity before it moves throughout your system. Most advanced attacks move slowly through your system to gain persistence and escalate their privileges. Tools like Endpoint Detection & Response can detect the abnormal user behavior, even when the activity is done by legitimate users.
According to a report from the IDC (International Data Corporation), 70% of successful breaches start on endpoint devices. With the right tools in place, you can detect and fight these attacks.
2. Reduce Security Privileges
Because one of the main priorities of lateral movement is to gain additional access and privileges on the network, it can be difficult to detect the threat or gain visibility into its movement. However, a good step to minimize the potential for malicious activity is by managing the security privileges of users on your network—if they don’t need access, don’t give it to them.
3. Internal Cybersecurity Training
More than 90% of cybersecurity incidents result from human error. It can cost millions of dollars to recover from these incidents, so it’s important to train your team to know what to look for, what to avoid, and how (and when) to report suspicious network activity.
Internal training should prepare your employees on topics such as:
- Password protection
- Multi-factor authentication
- Phishing attacks
- Protecting sensitive data
- Reporting potential attacks
4. Behavioral Analysis
As lateral movement continues to be a strong attack strategy used by intruders, it’s important to build a system that can detect when credentials have been stolen.
This is where behavioral analysis comes in. Unless you are constantly on the lookout for abnormal behavior, like late-night logins or sudden movement of data, many of these actions by credentialed users might make it past your security defenses. But these low and slow intrusions are what you need to protect against. Lateral movement becomes even more essential to gain increased access to your network and data, and tracking user behaviors might be your only opportunity to detect and fight them.
As you create barriers to lateral movement, you are better prepared to protect your valuable data, or slow down the attack so that you can manage and fight its impact. Invest in security that will rip the disguise off your attacker’s movements so you can protect your network and data.