Using lateral movement techniques attackers use low-level web servers, email accounts, employee devices or other similar starting points to successfully infiltrate a network. However, the initial intrusion is only a starting point for access — attackers target financial data, intellectual property, personally identifiable information (PII) or other sensitive information. Once an attacker establishes initial access, their goal is to move within the internal network to access the organization’s crown jewels or target data and attempt to exfiltrate the data.
What is lateral movement?
Lateral movement techniques are widely used in sophisticated cyber-attacks such as advanced persistent threats (APTs). The adversary uses these techniques to access other hosts from a compromised system and get access to sensitive resources, such as mailboxes, shared folders, or credentials. These can be used in turn to compromise additional systems, for privilege escalation, or to steal more valuable credentials. This type of attack may ultimately give access to the domain controller and provide full control of a Windows-based infrastructure or business-related operator accounts.
How does lateral movement work?
Lateral movement takes place following the initial breach of an endpoint. This attack methodology requires the additional compromise of user account credentials. Using these account credentials, the attacker attempts to access other nodes.
As the attackers gather information about the environment, they make parallel attempts to steal additional credentials, exploit misconfigurations, or isolate software vulnerabilities so they can dig deeper into the network.
The attacker then uses lateral movement to control key points in the infected network. These additional positions help the attacker maintain persistence even if a security team detects them on a compromised machine.
Lateral movement can be divided into these five steps:
- External reconnaissance—the first step for an attacker is to perform reconnaissance on the target organization. Reconnaissance activity includes external network scan, social media and password dumps. The goal is to understand the target’s network and most likely successful attack vector. For example, if credential dumps are available for employees of the target organization, the attacker may attempt to authenticate access to the organization’s VPN or external email. Another method is using open source tools such as Shodan to identify the target’s open ports and vulnerabilities without performing a scan.
- Initial infiltration—once an attacker identifies the attack vector, they exploit the vulnerability to gain access to the target’s network. Attackers vectors can range from a vulnerable device or application that is accessible via the public internet. This is a vertical move, from outside to inside. Once it is done, they can then move laterally within the network to reach their objective.
- Internal reconnaissance—attackers gather information, such as operating systems, network hierarchy, and resources used in the servers to map the environment and understand where vulnerabilities exist. Operating system utilities attackers can use to carry out internal reconnaissance include Netstat, IPConfig/IFConfig, ARP cache, local routing table, and PowerShell. In addition, unsecured intranet pages can provide attackers with internal documentation on the infrastructure and location of the target data.
- Stealing credentials—once inside the network, attackers look for new devices to broaden their control. To move from system to system they may attempt to gather valid user credentials by using keyloggers, network sniffer, brute forcing passwords or phishing to fool users into providing credentials. However, it is not uncommon for attackers to find credentials on intranet pages, scripts, or other easily accessible files/systems. The attacker can use these credentials to escalate their privileges and expand their access. The attacker’s ultimate goal is to escalate their privileges to domain administrators for complete access and control of the domain. With domain administrator privileges, attackers can target a domain controller and dump the NTDS.dit from the system’s volume shadow copy. This gives the attacker access to the password hash for all domain users, including service accounts. Obtaining the password hash for the KRBTGT can allow attackers to create a golden ticket with unfettered access.
- Compromise more systems—now that attackers have the credentials to access their target systems, they will use remote control tools such as psexec, PowerShell, remote desktop protocol, or remote access software to access those systems. IT staff often access desktops this way, so remote access is generally not linked to a persistent attack. However, attackers will create a persistent connection to the network to keep multiple avenues of access open. Lastly, the attacker will exfiltrate the data to a command and control server using techniques such as data compression, data encryption, and scheduled transfers to remain undetected.
Best practices to prevent lateral movement
There are several practices you can use to prevent and protect lateral movement inside your network:
- Least privilege—each user must be properly categorized and have access only to the systems, applications or network segmentations their job requires them to access. For example, in a corporate network, only IT staff should manage devices such as desktops and notebooks. IT staff should not provide users with administrator privileges.
- Whitelisting—any application requested by a user should be evaluated carefully. It’s worth following a list of reputable applications and restricting those with known vulnerabilities. If there is a request to an application whose functions are already fulfilled by another, there may be no need to enable the service. For example, nonpetya infected a large shipping company via a third-party application update.
- EDR security—endpoint detection and response (EDR) solutions monitor online and offline endpoints, collecting and storing data on historical endpoint events and mapping that data against actionable security intelligence feeds and known tactics, techniques, and procedures (TTPs). The data collected by an EDR solution provides visibility that helps identify patterns and behaviors that attackers leave behind as they attempt to gain a stronghold inside an environment. IT personnel can stop active attacks while they repair the damage quickly, isolate infected systems to prevent lateral movement, and remove malicious files left by the attackers.
- Password management—enforcing password management is an important practice to protect your user accounts and also helps you cope with possible attempts of lateral movement. Organizations should enforce a policy of strong and unique passwords across all privileged systems and accounts. Most importantly, administrators need to practice good account management hygiene. For example, Microsoft recommends, “Be sure that you change the password [KRBTGT] on a regular schedule. ”
- Multi-factor authentication—multi-factor authentication adds an additional layer of security to the standard username and password authentication. This is done by implementing multi-factor authentication for access to internal systems, applications and data. This increases the level of effort attackers need to make to compromise an account protected by multi-factor authentication.
Lateral movement plays a significant role in cyberattacks and is used by APT groups. This is the stage where attackers actively explore an organization’s network to find its vulnerable elements. Following practices such as applying least privilege, whitelisting, implementing an EDR solution, and requiring multi-factor authentication and strong passwords will make it more difficult for intruders to move around, even when they are already inside.
Lateral movement is also the stage where the attacker’s activity is most exposed. Taking advantage of this exposure to detect lateral movement is possible with EDR solutions that offer visibility over an organization’s network. A security operations team will be able to recognize any abnormal behavior and detect lateral movement before achieving their objective, data exfiltration. To learn more about how Exabeam can help detect lateral movement within your organization, find out more here.
- Detecting Lateral Movement and Credential Switching: Human vs. Machine
- Information Security: Goals, Types and Applications
- The 8 Elements of an Information Security Policy
- What is MITRE ATT&CK: An Explainer