What is lateral movement?

Lateral movement in cybersecurity is a technique where attackers, after intruding into an organization's network, escalate privileges, exploit vulnerabilities, and more, to gain further access to assets and resources.

Lateral movement is not an attack by itself, but a stage leading up to an attack. Attackers use that initial access to compromise other accounts in the network to create a massive impact. It's a tactic predominantly used in APTs whereby the attacker stays in the network undetected for an extended period of time to gain access to more valuable assets or resources.

The stages of lateral movement

To stay hidden, the attacker moves laterally through the network slowly and in stages. The movement can be divided into three stages:

Reconnaissance

Every move by an attacker is carefully planned to go undetected. Reconnaissance is the first stage of lateral movement. Once the threat actor has gained a foothold into the network, they gather information on the network, its devices, and users. This helps them tactically move through the network without raising suspicion.

These are a few tools and techniques that attackers may use for reconnaissance:

• Nmap: A network scanner that finds details about a network and the protocols running on it.
• Metasploit: A popular reconnaissance tool that can be used to probe for any vulnerabilities in the network or servers.
• Bloodhound: An AD reconnaissance tool that identifies the relationship between AD objects such as computers, groups, and users.
• Responder: A tool that can be used to poison Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Multicast DNS (mDNS) protocols to intercept and respond to network traffic and collect user authentication credentials.
• PowerSploit: A collection of PowerShell scripts that be used for reconnaissance.
• Recon-ng: An Open Source Intelligence-based tool that is used for reconnaissance.

Credential dumping

This is the second stage of lateral movement. Once the attacker gains access to the network and has studied it thoroughly, they will then attempt to elevate their privileges. This means that the attacker uses privilege elevation techniques to gain access to user accounts and devices to move laterally through the network.

Some of the common lateral movement techniques include:

• Kerberoasting: This technique extracts account credentials hashes from AD and cracks them offline.
• Golden Ticket: This technique allows the attacker to forge Kerberos Ticket Granting Tickets, thereby giving the attacker access to any resource on the AD.
• Silver Ticket: This technique allows the attacker to forge authentication tickets by cracking the password hash of a service account. The attacker can use this to gain access to file shares, which would allow them to find sensitive data and exfiltrate it.
• Keylogging: This records and tracks every key movement of the user, usually without their knowledge. An attacker can use this to assemble user behavior and private data.
• Pass the hash: This is a technique where attackers use the password hash rather than the plain text password to perform a valid NTLM authentication.
• Pass the ticket: This is a technique where attackers use stolen Kerberos tickets to authenticate to a domain.
• RDP attack: This technique uses valid credentials to log in to a system remotely, and then perform actions under the guise of the logged-in user.
• Server Message Block attack: This is a client-server communication protocol that can be abused by attackers to access file shares, allowing them to move laterally through a network.

Gaining access

If the attacker manages to evade the security controls in place and elevate their privileges within the network, they're eventually able to gain access to the desired sensitive data. Since the attacker does this using legitimate credentials, they can avoid detection.

Steps to prevent lateral movement

Lateral movement attacks are hard to detect because they use attack techniques that look like a legitimate network event, which allow them to stay undetected in the network for a long period.

Least privilege for users

Organizations should implement the principle of least privilege in which users are granted access to only what's required. The lesser privilege an account has, the more difficult it is for the attacker to gain access to their desired resource.

MFA

The implementation of MFA for systems, resources, and data is recommended. It is an additional layer of security that helps to prevent brute-force attacks and other password attacks.

Network segmentation

It is good practice to segment the network into smaller sub-networks, each with its own set of protocols and policies, to prevent lateral movement within the network.

Strong passwords

Organizations should enforce a strong password policy for systems and accounts to protect privileged accounts from possible attempts at lateral movement.

SIEM solutions

SIEM solutions can help prevent lateral movement, as they correlate data to identify any event that stands out. A solution that has behavioral analytics is even better for this purpose. It will collate data from all endpoints and use ML capabilities to establish a baseline for normal behavior, instantly alerting admins of any activity out of the ordinary.