What is the Lateral Movement in Cybersecurity? Meaning, Detection & Prevention
Lateral Movement Meaning in Cybersecurity: After gaining initial access to a victim’s environment, adversaries use lateral movement techniques to move deeper into a network seeking highly crucial data. They aim to maintain ongoing access, move through the IT environment, and obtain sensitive data.
One practical approach that sets modern advanced persistent threats (APTs) apart from previous simple hacks is lateral movement.
Lateral Movement Attack – Why is it a Matter of Concern?
Even if identified on the computer that was initially infected, lateral movement enables a threat actor to evade detection and maintain access. Additionally, if dwell time is more than usual, data theft may not happen for weeks or even months after the initial breach.
Plus, the attacker impersonates a genuine user and proceeds across many systems in the network until they reach their target after first acquiring access to an endpoint, sometimes through phishing or malware infection. Obtaining credentials, rising privileges, learning about several systems and accounts, and finally gaining access to the targeted payload are all necessary to accomplish that goal. That’s what makes it a more dangerous form of technique.
And, as per MITRE ATT&CK framework, “The use of tools on remote systems is not always a part of lateral movement, which consists of tactics that allow an adversary to access and control remote systems on a network. An adversary might be able to obtain data from a system using the lateral movement techniques without the need of further tools, such as a remote access tool.”
Exactly How Does Lateral Movement Occur?
A network’s initial entrance point serves as the starting point for lateral movement. This entry point could be a computer connected to the network with malware, a set of user credentials (username and password) stolen, a server vulnerability exploited through an open port, or a variety of different attack strategies. The lateral movement happens in different stages.
Stage 1: Usually, the attacker establishes a connection between the entry point and their command-and-control (C&C) server. They send commands to any malware that has been installed and retain information gathered from infected or remotely managed devices.
Stage 2: Once the attacker has gained control of a network device, they begin their reconnaissance. They learn as much as they can about the network, such as what resources the hacked device has access to and, if they have gained access to a user’s account, what rights the user has.
Stage 3: The attacker will next start to move laterally using a procedure known as “privilege escalation.” Here a user—legitimate or unauthorized—gains more privileges than they ought to. In identity and access management (IAM), it can happen unintentionally when user privileges are not properly recorded and assigned. In contrast, attackers deliberately take advantage of system weaknesses to increase their level of access to a network.
Above all, lateral movement attack uses social engineering to trick users. They use various other techniques as well. Let’s see some of the common techniques.
[Image Source: Beyond Trust]
What Common Lateral Movement Techniques Adversaries Use?
Technique 1: Keylogger, which records the keys users type, can be used by attackers to obtain user credentials if they join a network through a flaw or malware infection. Alternatively, they can gain access to a network by phishing for credentials. Attackers begin with a single set of credentials and the rights attached to that user account, regardless of how they obtained them. They try to do as much as possible with one account, then spread to other computers and utilize tools for credential theft to take over more funds as they go.
Technique 2: Open Source tool. Attackers take the help of tools like Mimikatz to access passwords, PINs, etc.
Technique 3: Kerberosting. Adversaries use certain tools to extract Kerberos authentication tickets and reuse them to impersonate authentic users.
Technique 4: Pass the hash. Through this technique, attackers capture an authenticated hash of passwords and use it to log in to remote devices.
In most cases, the attacker needs administrator-level access to obtain the kind of access necessary to do the most harm or to reach their target. So, they navigate the network laterally until they obtain administrator access. Once they have these credentials, they effectively have power over the entire network.
How to Detect & Prevent Lateral Movement?
Malicious lateral movement can be exceedingly difficult to detect once an attacker wins administrator rights and gains deeper access into a network since it can seem to be “regular” network traffic. A human attacker might also alter plans and use various strategies and tools in response to the data gathered. And when the attacker uses built-in system tools, detection becomes even more challenging. It is critical to find and remove these intruders as quickly as possible in order to avert costly losses.
Know the 1-10-60 Rule of Breakout Time
Breakout time is the amount of time it takes for a compromised workstation to start migrating laterally into other systems in the network. According to data from CrowdStrike, the average breakout time last year was 1 hour and 58 minutes. This indicates a company has around two hours to identify, look into, and eliminate or contain the threat. If it takes longer, there is a chance that the opponent will steal or damage your valuable assets and crucial data.
Most private-sector businesses aim to abide by the 1-10-60 rule, which states that an incursion should be discovered within one minute, investigated within ten minutes, and isolated or resolved within sixty minutes. The longer an opponent is permitted to travel laterally over a prolonged dwell period, the greater the likelihood that an attack will ultimately succeed.
Now, let’s get familiar with the prevention steps.
3 Steps for Preventing Lateral Movement
Following the given steps, you can strengthen your defenses and eliminate the dwell time.
Step 1: Get rid of Outdated End-point Security Solution
Over the course of several months, there were numerous high-profile attacks that moved laterally to quickly elude typical defenses. Many businesses still rely on outdated or conventional security measures, which are simple targets for contemporary hacking tools. This is how modern attackers plan their attacks. If you want to defend against the sophisticated threats of today, you must upgrade to comprehensive equipment that incorporates next-generation AV and behavioral analytic capabilities.
Step 2: Search for Advanced Threats
Many firms experience breaches not because there aren’t enough notifications, but rather because there are too many to look into. Excessive alerting and false positives may cause alert fatigue.
If your security solutions are producing too many false positives or if you’re receiving warnings without context or a method to prioritize them, it’s only a matter of time before a crucial alarm is ignored. That’s why it is crucial to have actual professionals actively monitoring what is happening in your environment and alerting your team in detail when odd activity is discovered.
Step 3: Retain the Cyber Hygiene
Cyber hygiene is important to keep your computers, networks, and data safe from all sorts of threats, including malware, ransomware, and other attacks.
However, your users and clients depend on you to keep any of their personal data that you hold safe as well. This goes beyond just safeguarding your equipment and infrastructure.
So, remove any potential vulnerabilities in your network environment, such as out-of-date or unpatched systems & software, and maintain cyber hygiene.
Q- What are the signs of a lateral movement?
When there is unusual network traffic, multiple failed login attempts, suspicious user account activity, the presence of unfamiliar tools, etc., then your organization might be experiencing an LT attack.
Q- What organizations should do once they suspect a lateral movement attack?
The first thing they need to do is they should isolate the compromised system, investigate the security incident thoroughly, and take remediation actions such as patching the security gaps, changing passwords, etc.
Q- What role does lateral movement play in conducting other advanced attacks?
It plays a critical role in executing advanced attacks. Because the threat actors use it to maintain a persistent presence in a target network, move laterally to access valuable assets, and remain undetected for extended periods.
Q- How to stop lateral movement in a network?
Organizations can stop lateral movement in a network by implementing proactive security measures. Apart from that they should continuously monitor the networks, and be ready with a robust plan for incident response.