Originally By Friedrich von Jagwitz, Sales Engineer – Updated 30 August 2023
What is Lateral Movement?
Lateral movement is a tactic used by adversaries trying to move through your network. Usually, attackers use multiple techniques to search for critical assets and data. At the same time, the hacker determines the target and figures out how to access it. Most techniques to access the target rely on privileged credentials and mimicking the administrator’s daily routines to stay stealthy and undetected. It’s challenging for organizations to detect lateral movement with traditional security solutions.
How does Lateral Movement Work?
Most attacks use social engineering for the first step of lateral movement. Spear phishing is one of the most successful attack vectors to target persons who have a profile with access to interesting data, such as C-level phishing or "Whaling," or to control sensitive systems, such as administrators. Once the attacker has access to a machine – let’s say after a successful phishing attack – they will work with that account to use the privileges to search for relevant data, additional credentials, and permissions. Then, the attacker will try to escalate the permissions of the user account to be empowered to perform more significant actions in the target environment.
Once the harvest on one system is over, he will move laterally. The attacker will try to log in to another computer with the account he first captured. If no one stops the attacker, he will have all the time in the world to search around and move between systems. Until he eventually finds sensitive data or impersonates an almighty administrator account.
Best Practices to Prevent a Lateral Movement Attack
In many cases, organizations don’t fix vulnerabilities in their network for many reasons, such as high cost, resource availability, and dependencies on other systems. When organizations do address the vulnerabilities, the unsecured transition to a more secure network takes time.
Despite the time and effort to address vulnerabilities, blue teamers are not out on a limb. They use many different tools to detect attacks in every phase. One of the vital security monitoring tools is a Security Information and Event Management (SIEM) system. With a SIEM, it’s easy to identify an intruder moving laterally. Because he will indispensably make noise hopping from one system to another. Once the attacker is spotted, blue teamers can stop him.
Guidelines to Thwart Lateral Movement in Cybersecurity
Ensuring cybersecurity in today's digital landscape involves a proactive approach. Let’s delve into three paramount steps designed to fortify your defenses, curbing dwell time and its ensuing repercussions.
Step 1: Enhance Your Endpoint Security: A spate of high-profile cyberattacks took advantage of extended dwell times, leveraging lateral movement to deftly dodge conventional security measures. It's evident that modern-day cyber adversaries bank on many entities still leaning on outdated or basic security tools. These are the same tools that contemporary hacking utilities can sidestep without a hitch. Hence, it becomes imperative to transition to an all-encompassing security tech stack encompassing next-gen AV and behavioral analysis facets to fend off today's intricate cyber onslaughts.
Furthermore, it’s prudent to revisit and recalibrate your cybersecurity blueprint. Strive for a robust framework that amalgamates both pre-emptive technology to thwart unauthorized intrusions and a comprehensive EDR (endpoint detection and response) system such as Logpoint AgentX to autonomously pinpoint suspicious undertakings. This dual-faceted approach encapsulated in a solitary agent marks a pivotal initiation.
Step 2: Adopt a Forward-Thinking Stance against Complex Threats: A common pitfall for many enterprises isn't the absence of alerts, but an inundation of them. This deluge, especially when comprising redundant alerts and false alarms, can culminate in alert exhaustion.
Should you find your security apparatus generating an excessive number of inaccurate alarms, or you encounter alerts devoid of context or prioritization methodology, it's a ticking time bomb until a crucial notification goes unnoticed. It's of essence to employ genuine experts who can, in real time, discern the events within your digital realm, dispatching comprehensive alerts for any anomalous activity detected.
One might contemplate bolstering in-house teams with a state-of-the-art security system, which offers in-depth expert threat reconnaissance. Such a system actively screens for concealed threats, trims down false alarms, and employs an urgency hierarchy, ensuring pressing alerts receive immediate attention.
Step 3: Uphold Optimal IT Cleanliness: Excise latent vulnerabilities like obsolete systems or software patches from your network framework. It’s not uncommon for cyber exploits to remain dormant for extended intervals before they spring into action. In such scenarios, organizations become vulnerable targets if they neglect the consistent application of patches and updates to every endpoint.
In summation, your premier line of defense is ensuring your enterprise harnesses the cutting-edge technology available while embedding the 1-10-60 paradigm in your cybersecurity strategy.
Early detection with a SIEM
SIEMs can detect the attacker when he starts using the same account on multiple computers. Usually, actual users work from one single computer. Logpoint SIEM identifies the attacker using the simple pattern:
[ label=Login label=successful workstation = * | chart count() by workstation, user ] as s1 join [label=Login workstation=* label=Successful | chart count() by workstation, user ] as s2 on s1.user=s2.user | process compare(s1.workstation,s2.workstation) as match | filter match = false | chart count() by s1.user,s1.workstation,s2.workstation,match
Share Attack Insights
With a painless way to detect the attacker, organizations know as soon as there is an account performing suspicious activities. Most SIEMs have powerful visualization options, so blue teams can share insights within the team.
Detect Unusual Behavior with UEBA
Behavioral analytics, such as UEBA, can also detect anomalous behavior in the network without rules or manual setup. User and entity behavior analytics (UEBA) use advanced machine learning to detect when users are behaving strangely. UEBA sends automatic notifications when users do something outside their usual behavior. This way organizations know when they need further forensic investigation.
An example of how UEBA can help detect lateral movement is multiple attempts to log into different accounts in short succession and/or from devices that are not typically associated with those accounts. UEBA shines in this type of scenario as these are some of the most basic anomalies it can detect. Obviously, organizations can use queries to detect multiple login attempts, but that requires a somewhat more laborious approach.
Log Aggregation and Visualization
Overall, network-spanning solutions, even the most basic log aggregation, and visualization, can be invaluable to detect lateral movement. These solutions provide quick notice of the type of unusual activity that coincides with lateral movement Especially if the attacker is using automated methods.
Monitoring is Key to Stopping Lateral Movement
Other security best practices still stand of course. Especially important is the principle of least privilege and various authentication-related mechanisms, such as two-factor authentication and password requirements. However, defending against lateral movement is not complete without monitoring capabilities.
Detection is one step away from reaction. Only with knowledge about what is going on in your network can you stop the attacker and protect your business from data loss and privacy violations.
The Challenge of Defending your Network
In the early days of networking, many people put a lot of effort and time into inventing new functionality and making what seemed impossible – possible. When Ray Tomlinson sent his first email ("QWERTYUIOP”) in 1971, his only concern was to check whether it was properly sent and received. Not even 20 years later, in 1988, the “Morris” worm showed the vulnerabilities of computer networks and the U.S. Government Accountability Office put the cost of the damage at $100,000 – 10,000,000 USD. In 1991 Microsoft came up with their vision of “a personal computer on every desk and in every home” and companies of every size started working with computers and building their networks.
Back then, the demand for IT experts was higher than the actual number of qualified specialists. The lack of IT expertise led to millions of unsecured, misconfigured, and highly vulnerable IT environments. Many unsecured environments are up and running today, representing a big and expensive risk for organizations.
A Digital Playground
There is no reason to detail how and when the first hackers came onto the digital playground and found the millions of vulnerable networks as a virtual invitation to take action. However, the hackers motivated organizations to think about network defense. The famous Kill Chain from Lockheed Martin and later the industry standard MITRE ATT&CK framework help Blue Teams structure the evidence obtained during defensive activities. An attacker has to do the groundwork before he can get what he is after.
By far, most networks use Microsoft’s technologies, such as Active Directory (AD) for authentication and authorization and Windows servers and clients. Some networks even have Windows NT nearly two decades after support ended. Windows computers as part of an AD domain in a basic, non-hardened configuration living in flat, non-segmented networks allow attackers to quickly move from one system to another. Prowling in foreign networks, attackers harvest credentials and data, sometimes taking control over entire networks.