A threat actor, hoping to launch a ransomware attack on an organisation, is able to use stolen credentials to get into a user’s email account. Utilising spear phishing techniques and reconnaissance, the threat actor emails the IT department, asking for credentials to an important network application. They gain the credentials, move deeper into the network, and start setting up a ransomware attack.
That’s lateral movement in action. It’s critical to the success of a major cyber attack, and once it happens it can be difficult to detect and to stop. The move, in this case the email to IT and entry to a different application, looks legitimate. With the proper credentials, the next moves would appear as normal network activity. The organisation may not know what has happened until a ransom note appears on computer screens.
Understanding what lateral movement is, how it happens, and how to prevent it is crucial for an organisation’s cybersecurity posture in today’s growing threat landscape, where threat actors will use every tool available, simultaneously, to burrow into an organization’s network and wreak havoc.
What is Lateral Movement
Lateral movement consists of tactics threat actors use to move around a target’s environment to achieve their cyber attack goal. After initial access is achieved, a threat actor often needs to move into different parts of the system or go deeper into the system to exfiltrate data or execute another kind of attack.
Many kinds of cyber attacks utilise lateral movement, and in fact a simple attack, like a phishing scam, may just be a precursor to a more sophisticated attack that utilises lateral movement to achieve certain goals. These kinds of attacks include ransomware, botnet attacks, data exfiltration, and cyber espionage.
How Lateral Movement Works
Common lateral movement techniques include:
- Exploitation of remote services
- Internal spear phishing
- Lateral tool transfer
- Remote hijacking
- Remote desktop protocol
- Cloud service login
- Application access token
That list is not exhaustive but highlights the ways that an attacker can jiggle the locks on various doors and start to explore once they have access to the house.
There is a myriad of ways threat actors can achieve lateral movement within a network. It’s all about what tools they have, what they have access to, and what will be the most efficient and provide the most cover, so they are not detected by the organization’s cybersecurity architecture.
A major reason threat actors utilise this technique is because it can be difficult for organisations to detect once it happens. Lateral movement leverages what’s referred to as “east/west” traffic which, within a network, is often considered ordinary. A user may check their email, then log into a cloud-based application, and then maybe look at certain assets, etc. Whereas “north/south” traffic — e.g., traffic that moves in and out of the network — will most likely be detected by firewalls and endpoint detection tools, once the threat actor is in, they can move without notice. Visualise this as a criminal who has stolen a casino employee’s badge to gain initial access to secured areas and then continues the heist by crawling through the vents of the casino to remain unseen by security cameras and staff as they move towards the target, the vault room.
Lateral Movement vs. Privilege Escalation
While privilege escalation can be utilised as a lateral movement technique during a cyber attack, it’s important to note the two terms are not interchangeable. Privilege escalation is often vertical and refers solely to the amount of access a user has — to an application, asset, or network — and how that access grows. A threat actor, during an attack can give themselves more access, in particular to gain credentials to give them access to another part of the environment, but the tactic itself is not lateral movement.
However, lateral movement can be referred to as horizontal privilege escalation, as a hacker’s access to the environment will grow, horizontally, as they make moves.
How To Detect and Prevent Lateral Movement
A major defence for lateral movement is to try to identify and contain the attack before lateral movements happens. However, this can be difficult for a number of reasons, including that there are many initial access points an attacker could utilise and that dwell times — the time an attacker sits within a network before making a move — have shortened year over year.
This timeframe before lateral movement occurs is called “breakout time,” and stopping an attack within this window reduces cost, impact, and potential business interruptions or downtime. It could also be the difference between an incident and a successful ransomware attack.
Two major ways to detect and stop lateral movement are:
- Real-time monitoring of the environment. Advanced monitoring solutions, such as managed detection and response (MDR), can detect unusual activity (such as a user logging into an application they normally don’t log into), rule changes within applications, or sudden movement by a single user across the environment. An organisation can monitor activity and map it back to the techniques mentioned above to detect patterns of behavior similar to lateral movement.
- Behaviour analysis. This is where that monitoring turns into investigation. It’s one thing to see “user did x then y then z” and another for software and human analysts to determine that behaviour may be suspicious or may fall in line with common lateral movement techniques.
Preventing lateral movement is a critical component of cybersecurity. A threat actor does not want to be detected and wants to work efficiently. If they are unable to make moves in the environment, it will lessen the impact of the incident. For example, stolen credentials that are difficult to leverage may prevent the attacker from continuing, especially when there are other organisations to target and continuing this more challenging attack will extend their breakout timeframe. These prevention measures include:
- Utilising network isolation and network segmentation. This cuts off parts of the network from each other, preventing a threat actor from widening their scope or making moves once inside part of the network.
- Employing vulnerability management. Threat actors often exploit vulnerabilities not just for initial access but for lateral movement to gain access to various applications. Proper patching and a robust vulnerability management programme will close these gaps before they are exploited.
- Implementing zero trust. Zero trust removes all explicit access and ensures a user must verify themselves to gain access to any asset or application. This will stop an attacker in their tracks, even if they have credentials, because they will be unable to verify themselves. Even if they are, they will be greeted by more locked doors and more combinations to try to crack. The idea is to not only reduce exposure to valuable applications and assets but slow these threat actors down until they give up or are detected.
- Relying on 24×7 monitoring and detection solutions. As mentioned above, monitoring is important, but if it can’t detect and correlate different events within an environment, it may not be able to stop an attack from escalating. By using an MDR solution, such as Arctic Wolf® Managed Detection and Response, your organisation is covering multiple bases and can be assured that if there is an event, detection, analysis, and possible escalation will happen quickly to prevent any lateral movement.
See how Arctic Wolf detected precursors to lateral movement in an attack on a customer’s Microsoft Exchange Server and watch stage-by-stage as the attack went from detection to escalation to containment in 41 minutes as PowerShell enumeration commands and attempted lateral movement were swiftly uncovered in the investigation.
Explore the threats of today and how to prepare for tomorrow with our Arctic Wolf Labs 2023 Threats Report.
