Lateral movement refers to the techniques used by malicious attackers to search for sensitive data or high-value assets after gaining initial access to the network or by gaining control of one asset. After gaining access to the endpoint, through a phishing attack or a malware infection, the attacker impersonates a legitimate user and traverses through the network, until the end goal is reached.
Preventing, mitigating and stopping cyber attacks is an important function that all organizations need to undertake. The data exposure and loss have the potential to cause a lot of damage, unnecessarily stalling and sometimes stopping the organization from doing its actual business. While there are many advanced tools and smart tricks in the armour of an organization’s cybersecurity team, the attackers and hackers always are one up in this ongoing battle.
The stages of lateral movement
Lateral movement is divided into three parts:
- Reconnaissance: Attackers sometimes plan their way into the system. During the reconnaissance phase, the attacker meticulously observes the network structure and enumerates the internal network with the access of users gained during the initial foothold. In an Active Directory, deployment, there is almost always a way to laterally to a different host to obtain higher privileges.
- Credential Dumping and Privilege Escalation: At this stage, the attacker needs valid login credentials to continue to move deeper into a compromised network. This process is repeated until the credentials of a privileged user across the entire organization is obtained. This difficulty of preventing this is usually a result of insufficient detection and monitoring that leaves organizations blind for months before it is noticed. This is especially true if organizations do not have basic security controls to prevent this activity.
- Gaining and Maintaining Access: One major task that attackers have to overcome is maintaining access to a privileged account. Using privileged access, all domain-joined servers and resources that contain valuable data can be exfiltrated. Even if data exists in a segmented network or a non-domain joined computer, credentials to access these hosts often exist in system administrators’ computers (which are joined to the domain). Furthermore, such activity can be difficult to detect because legitimate logins with stolen credentials are considered normal traffic. Therefore, the quicker an organization can detect illegitimate use of a privileged account, the safer the crown jewels and sensitive data of your customers will be.
It is important to understand breakout time, as this time is of essence during the attack. Breakout time is the time taken by an intruder to move laterally across a network. The average time taken is 1hr and 58 minutes. This means that the organisation has roughly two hours to investigate, implement measures and contain the threat, if they ever come to know about it on time.
Preventive measures to thwart lateral movement
Some preventive measures are:
- Update outdated software
- Eliminate unpatched systems
- Filter open ports
- Maintain secure passwords – Passwords can be a separate blog altogether, because simple things like weak or reused password is all what it takes. Employing Single sign-on (SSO), Multi-factor authentication (MFA) and logon restrictions are standard practices
- Employ the principle of least privilege, where users are given a minimum amount of access, needed for their role and work only
- Preventing laptop-to-laptop communications in the corporate LAN network or on the VPN. Restricting network communications
- Collecting logs from endpoints is critical as more endpoints are disconnected from their hardened corporate networks. Monitor and detection for lateral movement often necessitates visibility on laptop endpoints.
Monitoring all attempts of lateral movement is important, before the threat actor comes closer to your system. Advanced network detection and response solutions, automated threat intelligence and other automated tools can constantly monitor and prevent such attacks. A whole lot of other tools can be employed such as machine-learning based tools and data-driven investigations.
In order to win the battle in cyberspace, speed is of paramount importance. Within minutes, data can be lost or worse, published online. The only way to beat the attack is by being faster — by detecting, investigating and containing an intrusion within the breakout time.
A strong security risk management system should be established in organizations of all kinds, sizes and strengths, because risk is present at every organization, and each organization’s appetite to risk is also very different. Allow Packetlabs to test and improve your organization’s resilience to such attacks and allow our consultants to bolster your security posture.