What Is Lateral Movement? Lateral Movement Explained
Network Lateral Movement or lateral movement in cybersecurity refers to a technique used by hackers to progressively move from a compromised entry point to the rest of the network as they search for sensitive data or other high-value assets to exfiltrate.
In order to compromise a machine, cybercriminals use practices such as malware infection or phishing attacks, then masquerade as authorized users as they look to obtain higher privileges and elevated access.
This allows attackers to move laterally (sideways; between devices and apps) through a network. An effective lateral movement attack is used by intruders to scan the system and find other machines to infect.
Cybercriminals aren’t usually worried about being discovered when using the lateral movement technique, as the majority of the organizations don’t have the means to detect it. Even if they would, a lateral movement activity can be hard to notice because once a cybercriminal has gained access, their traffic looks normal to the security administrators.
Because they’ve already gained access, it’s difficult to tell the difference between a perpetrator and a legitimate user.
Lateral Movement Phases
Lateral movement is divided into three main stages: reconnaissance, credential dumping, and obtaining access to other machines in the network.
Sometimes, hackers may devise a strategy to get access to the system. The attack begins with observation and information gathering. During this phase, the hackers meticulously notice, explore, and charts the network, its machines, and users. This plan helps them make informed moves, comprehend naming systems, network ranking, and recognize operating systems.
Cybercriminals use a number of tools to understand where they are located inside the system, what they can access, and what network security system or other impediments are in place. During the reconnaissance phase, advanced attackers can employ built-in Windows or support tools as security teams usually have a hard time noticing them.
At this point, the cybercriminals have to gather valid login credentials to keep moving through the compromised network. Credential dumping is a term used to describe the fraudulent obtaining of credentials. These credentials can be collected by employing tools, such as keyloggers (which tracks the keys users type), Mimikatz, and Windows Credential Editor.
Another way to obtain the login credentials is to trick the users into sharing them by employing social engineering strategies such as typosquatting and phishing attacks.
A brute force attack is another common practice, in which a hacker guesses a password and utilizes it to gather, store, and steal information.
Internal reconnaissance process followed by evading security controls to compromise successive hosts can be performed until the desired data is located and exfiltrated. And, as cyberattacks become more and more advanced, they frequently contain a powerful human component. This is especially true when it comes to lateral movement, when a company may confront with actions and counter-attacks from a competitor.
However, a strong security solution in place can detect and stop human behavior.
What Kind of Attacks Use Lateral Movement?
Many types of attacks use lateral movement to reach as many devices as possible or to move throughout the network until a particular objective is accomplished. Here are some examples:
Botnet attacks: The devices that are taken over by cybercriminals may be added to a botnet. Botnets are often employed in Distributed Denial-of-Service (DDoS) attacks, but they can also be used for a variety of other harmful purposes. By employing lateral movement, a hacker can connect as many devices as possible to their botnet, making it stronger.
Ransomware attacks: As explained by my colleague Andra in this article, ransomware is a sophisticated piece of malware that encrypts crucial data for an organization’s everyday processes. After the infection happens, the victims receive a message telling them that a certain amount of money (ransom) must be paid to get the decryption key. Normally, there is also a time limit for the payment to be completed, otherwise, the files could be lost forever. Once activated, the ransomware infection will severely disrupt the company’s operations, at least temporarily.
Data exfiltration is the act of intentionally transferring confidential information from inside an organization to outside an organization’s perimeter without authorization. In order to get to the data they want, malicious actors usually have to move laterally from their initial point of intrusion. Data exfiltration can be done through hacking, malicious software, social engineering attacks. The cybercriminals exfiltrate data to:
- steal intellectual property
- obtain confidential information for conducting identity theft
- hold the stolen data for ransom (in ransomware attacks)
Cyberespionage campaigns. Cyberespionage is a common practice among countries, hacking groups, and organizations everywhere, no matter the reason. When the hacker’s intention is just surveillance, without financial gain, they will do their best to stay hidden and implanted in the network for as long as possible. It differs from a ransomware attack, in which the hacker makes his intentions known in order to receive the ransom.
Lateral Movement Detection and Prevention
As we already said, once a cybercriminal acquires access to a network, lateral movement can be especially difficult to detect as it can look exactly like legitimate network traffic. In addition, a human threat actor can modify action plans and implement different methods and tools based on the received information. Besides, when a malicious actor uses built-in system tools, recognition becomes even more difficult.
So, what can organizations do?
A great start when it comes to lateral movement prevention and detection would be a better understanding of the concept. It is essential to know how it works and what are the first signs in order to recognize it. Here is what you can do.
- Update outdated software regularly. All your services, applications, operating systems, and endpoints should be using the most recent version of the software.
- Remove the systems that aren’t patched. Protect the unpatched systems by separating them from the rest of the network.
- Filter open ports. To help protect against frequent attacks and malware infections, make sure there are no unneeded open ports.
- Implement the principle of least privilege. This way, users can only have access to information and perform actions they need to do their job being prevented from gaining additional data that doesn’t concern them.
- Maintain proper IT hygiene. In order to protect against lateral movement, you must make sure that your organization covers the basic elements of network protection. Usually, an attack happens when a company has inadequate security hygiene.
- Maintain unique passwords. Ensure the employment of hard to guess, secure passwords and Single sign-on (SSO), Multi-factor authentication (MFA), and restricted login protocols.
- Back up confidential data. Integrating a robust backup strategy for critical information, systems, and apps helps ensure business continuity in the event of a security breach.
- Hunt for sophisticated threats. Threat hunting is an active cyber defense action. It refers to the process of looking through networks to discover and isolate advanced threats that bypass existing security solutions.
- Reappraise your security strategy. Make sure you have one of the best security solutions on the market.
At Heimdal, we offer you Endpoint Detection and Response or (ETDR) Endpoint Threat Detection and Response, a complex cybersecurity technology used to protect endpoints, that continuously monitors and responds to mitigate cyber threats.
EDR tools offer unique prevention, hunting, and remediation capabilities and quickly respond to sophisticated malware – both known and yet unknown.
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
Nowadays, cyberattacks happen every day and to any type of organization and entity. Hence it is essential for security teams to be able to detect lateral movement rapidly and correctly in order to prevent cybercriminals from expanding their reach inside an organization.