Cybercriminals have always sought out sensitive or valuable data, but the way they go about it has changed as technology and analysis have improved. In the past, data breaches were all about acquiring physical access to a system or network in order to steal data.
Nowadays, however, most data breaches are the result of cybercriminals using sophisticated techniques to gain remote access to systems and networks - often without the victim ever knowing. This is what's known as a lateral movement attack.
What is a lateral movement attack?
Lateral movement attacks are a type of cyberattack technique in which an attacker gains access to one system or network and then uses that access to move laterally to other systems or networks in order to gain access to user data and credentials. The attacker then tries to raise their access privileges through different malicious programs and tools.
For cybercriminals, lateral movement is a tactic that helps evade detection or retain access even after discovery by the system admin. This attack module lies at the core of their technique to present an Advanced Persistent Threat (APT). Often, these threat actors leverage zero-day vulnerabilities to wreak havoc. One example of the lateral movement attack was the security breach at SolarWinds. The attackers breached their security system and remained undetected for over 12 months.
How can attackers execute lateral movement attacks?
There are a few different ways that attackers can execute lateral movement attacks:
By exploiting vulnerabilities in systems or applications: Attackers can exploit vulnerabilities in systems or applications to gain access to them.
By stealing user credentials: Attackers can also steal user credentials - such as passwords, usernames, and other sensitive information - to gain access to systems and networks.
By using malware: Attackers can use malware, such as viruses and Trojans, to gain access to systems and networks.
By using social engineering: Attackers can use social engineering techniques, such as phishing and spear phishing, to gain access to systems and networks.
Regardless of their methods, once they have access, they can move laterally to other systems and networks.
Stages of lateral movement attacks
Cybercriminals using lateral movement attacks techniques have three steps in common in their methods.
1. Reconnaissance attack
Before launching an attack, the attackers explore the target devices, networks, and other digital assets to pull information on the companies' domains, servers, and operating systems. This intel gathering is a precursor to the attack, which is launched with the help of state-of-the-art tools like Netstat, IPconfig, Powershell, ARPshell, to name a few. These specialized tools are designed to identify the network, its configuration, different ports, physical addresses, and other details about the target system.
2. Credential dumping and privilege escalation
After infiltrating a system or network, cybercriminals seek to perpetuate their stay. Instead of just breaching a system’s security, they try to hang around and browse within the compromised system undetected. This requires at least one valid login credential.
The combination of illegal extraction and leveraging of user credentials is known as credential dumping. Through this, the attackers target the login credentials of the system admin or other legitimate employees. Here, the attackers use methods and tools like a keylogger, Mimikatz, Pass the Hash, Pass the Ticket, to name a few. Keylogging tools help capture the passwords directly from the admin to perform privilege escalation. Pass the Hash is a popular method that authenticates without owning the user's password. Pass the Ticket also helps threat actors establish persistency by employing Kerberos tickets.
3. Gaining multiple accesses
Once the parasitic relationship within a system is established, the attackers browse and hop over other computing points within the network. It is in this part of a lateral movement attack that the cybercriminal bypasses various controls without detection and explores different credentials and compromised devices.
Strategies for preventing lateral movement attacks
Have a standard user account
Organizations should enforce standard user account for all their users or employees. As a routine practice, administrators should have the privilege to log in to the users' accounts to look for suspicious behaviour through logs.
Principle of least privilege
If an employee does not require certain system access privileges or access to data, applications, servers, etc., the admin should disable their access.
Bring in the experts
Organizations should consult security providers like Packetlabs for guidance and solutions for enterprise security to stay ahead of cybercriminals planning lateral movement attacks.
Multi-factor authentication (MFA)
Adding an extra layer of security through MFA is an easy way to help prevent lateral movement attacks. MFA can be in the form of a code sent to the user's mobile phone or email, biometrics, etc.
Lateral movement attacks are a serious threat to organizations as they can result in data breaches, system disruptions, and financial loss. To prevent such attacks, it is important for organizations to be aware of the methods used by attackers and take measures to protect their systems and networks.
How can PacketLabs help?
Packetlabs can help reduce the risk of a breach within your system infrastructure and identify gaps in processes and procedures. To learn more about strengthening your cybersecurity posture, contact the Packetlabs team today!