- Uptycs @ RSA
An attack method where behavior analysis and remote access tools are used to sidestep devices in an attempt to exfiltrate data from an organization, lateral movement mimics human behavior to widen its range and depth of undetectability.
As cyber threats become more sophisticated, company networks have seen a rise in lateral movement attacks. As they easily avoid detection from the average malware protection software, an in-depth understanding and the ability to swiftly detect and eliminate the nature and enablement of this vulnerability remains vital to a comprehensive security stance.
What is Lateral Movement?
Lateral Movement is a cyber-attack technique whereby a hacker (or group of hackers) targets networks to gain access to vital information and exfiltrate data.
It uses behavior analysis to mimic real person usage of networks to sidestep through devices and software to eventually gain the information they need to “cash in” on the hack.
Unlike conventional cyber-attacks, Lateral Movement does not rely on phishing emails or installing malware remotely to get the job done. These sophisticated hackers know that malware is easily detected and stopped in its tracks.
Instead, they use Remote Access Tools (RATs) to connect to devices and initiate their attack. By mimicking the behavior of a real person, the network does not suspect foul play, allowing the hacker to gain deeper access as needed.
These attacks usually play out over weeks or months, rather than full-blown quick attacks.
Common Stages of Lateral Movement
There are three common stages of the Lateral Movement attack process that allow cyberthieves to steal sensitive data.
This first stage of Lateral Movement focuses on understanding how the network is being used.
As mentioned above, this form of attack works because it mimics natural usage – to be able to do so, they must first learn what that looks like for the individual network.
Over the course of a few weeks, maybe months depending on the scale of the network they are attacking, cybercriminals begin to map out and explore the network usage, tracking users, devices, timings, and normal activity.
By doing so, attackers can easily move through the network and access the information they want without being detected by malware software.
Tools That Cybercriminals Favor During Reconnaissance Include:
- Netstat: shows the device’s current network connections. Used to gain knowledge about the network and identify assets.
- IPConfig/IFConfig: to access network location and configuration information
- ARP cache: used to target individual machines in a network by identifying IP addresses and matching them with their physical address.
- The Local Routing: shows current communication paths for the connected host
- PowerShell: a scripting tool that allows cybercriminals to see the network systems this target has admin access to.
2. Credential Dumping and Privilege Escalation
Remember, Lateral Movement is not a direct attack. It’s a sneaky backdoor to gaining sensitive data “legitimately” without the use of malware. This means hackers need to access passwords, usernames, and other credentials of network users to gain access throughout the network.
Hackers typically employ social engineering attacks such as typosquatting (targeting users that misspell an URL address) and phishing attacks (tricking users into clicking a bad link or directing them to a suspicious website).
Cybercriminals have many other methods they apply, though, including:
- Pass the Ticket: Cyber attackers exploit the authentication system by forging Kerberos Tickets to gain access to any account on the network. These “golden tickets” work even if the user resets their password.
- Pass the Hash: This allows attackers to access your accounts using your password hash (rather than the plain text password characters), allowing them to bypass security and authentication processes
- Keylogging tools: Attackers can trace typing on the keyboard while users input their credentials for an account, allowing them to capture the information for full access.
- Tools like Mimikatz: These tools are used to take advantage of compromised machines in order to steal plain text passwords and authentication certificates.
3. Gaining Access
The final stage of Lateral Movement is gaining access to sensitive information. As hackers employ the first two steps, they are able to search for their target. So, needless to say, if they aren’t stopped in time, they will eventually land on their “jackpot” and extract the relevant sensitive data to do with as they wish.
Detecting and Preventing Lateral Movement
Lateral Movement attacks are incredibly hard to detect, but not impossible. The key to successfully removing a Lateral Movement cybercriminal from stealing your network data is to detect and kick them out within the first two hours of initiation. This is known as “breakout time.”
The longer a hacker stays in your system, the better their knowledge of the natural use of your network, and the harder it is to detect.
The best way to deal with a Lateral Movement attack is to use the 1-10-60 rule.
1 minute to detect suspicious activity.
10 minutes to investigate the intrusion.
60 minutes to isolate and resolve the problem.
To prevent a Lateral Movement attack on your network, you need to employ the following three steps:
Step 1: Update Your Endpoint Security Solution
The standard cybersecurity software we’re all used to is not equipped to handle the levels of ultra-sophisticated attacks we’re seeing presently, including Lateral Movement.
Most cybersecurity companies are in agreement that the safest solution to prevent cyberattacks is to employ endpoint security solutions.
These are solutions that are installed at the endpoint (individual devices) and also at the network endpoint. A senior administrator will then have access to a centralized console that can individually monitor and protect each individual device on the network, allowing laser-precision defense against attacks.
Step 2: Proactively Hunt For Advanced Threats
You can’t rely solely on your cybersecurity software to detect every single threat for you in a timely manner.
Due to the numerous sneaky ways hackers can find their way into your network, protection software is extremely sensitive, which can often lead to reporting false threats. Eventually, due to the vast number of “threats” detected, a real one is bound to slip through the net.
With Lateral Movement often carried out by real human beings, it makes sense that the same tactic should be employed to monitor and detect security threats.
Remember, a company’s biggest asset is its data and information, so it’s crucial you direct human resources towards your data security efforts.
By having humans actively looking out for threats and suspicious activity, you’ll be more likely to catch an attack in real-time and efficiently deescalate the situation before it becomes an issue.
Step 3: Maintain Proper IT Hygiene
IT Hygiene isn’t about physical cleaning. Instead, it refers to making sure your devices, software, and network aren’t vulnerable to attacks.
This includes ensuring all security software is up-to-date, all users are frequently changing their passwords, all devices are securely connected to the network through endpoint security software, and ensuring all users are aware of basic safety practices to avoid accidental attacks where possible.
Time is of the essence when it comes to Lateral Movement attacks and keeping all devices on your network in peak condition will help make it harder for attackers to infiltrate your system.
On top of all the above-recommended steps, you may also want to arrange for cybersecurity professionals to provide awareness training on sophisticated attacks for your company.
Lateral Movement attacks are devious in their approach. Being aware of their existence and proactive in the prevention, detection, and expulsion of bad actors is paramount to the protection of an organization's sensitive data from theft.
To learn more about Cloud Security and Best Practices, check out our Cloud Security and Fundamentals eBook
Connect with the author
Other posts you might be interested in
6 min read | April 19, 2018
Is your Mac fleet secure? Tackling the myth of inherent mac securityRead More
8 min read | January 8, 2020
How To Use MITRE ATT&CK For Endpoint SecurityRead More
9 min read | January 20, 2020