Gradient lines background
Gradient lines background

Understanding and Detecting Lateral Movement

Understanding what lateral movement is, how it happens, and how to prevent it is crucial for an organization’s cybersecurity posture.
Gradient lines background
6 min read

A ransomware attack is underway. The threat actor has gained initial access to an endpoint and executed malicious code on it. As far as the threat actor is concerned, things are going well. However, the next stage is critical to a ransomware attack’s success. Without the ability to spread throughout the entire environment, encrypting or locking up all systems, threat actors are unlikely to be able to extort payment from an organization .

To infect as many endpoints and as much of a target’s environment as possible, the threat actor distributes executables and tooling within the target environment through lateral tool transfer. By using public file-sharing tools like Dropbox or native systems tools like the ftp (file transfer protocol) utility, the threat actor passes their attack kit across the environment, infecting endpoints and servers as they go, while also — as a bonus — concealing their movements.

That’s lateral movement in action.

It’s critical to the success of a major cyber attack, ransomware or other, and once it happens it can make the attack harder to detect and to stop. Understanding what lateral movement is, how it happens, and how to prevent it is crucial for an organization’s cybersecurity posture in today’s growing threat landscape, where threat actors will use every tool available to burrow into an organization’s network and wreak havoc.

What is Lateral Movement?

Lateral movement occurs when a threat actor navigates through a breached environment, often gaining new access and user privileges as they go. It is typically a later stage of a breach, occurring after initial access is gained through the root point of compromise, and often after persistence is maintained in the environment, privileges are escalated, and defenses are evaded.

Once lateral movement has begun, the threat actor can compile enough endpoint, network and server access from which to launch a ransomware attack, exfiltrate data for use in future attacks or to sell on the dark web, steal intellectual property, or remain in the system as an advanced persistent threat (APT), gathering intel and waiting for the perfect time to strike.

How Lateral Movement Works

Threat actors exploit existing trust found in user accounts and access, or existing vulnerabilities that an organization has not yet mitigated.

Common lateral movement techniques and procedures include:

1. Leveraging Remote Desktop Protocol (RDP): Attackers often leverage RDP to access other systems using valid credentials. RDP provides a graphical interface for remote management, making it an attractive option for lateral movement.

2. Exploiting Windows Management Instrumentation (WMI): WMI is a powerful management framework in Windows that attackers can exploit to execute commands or scripts on remote systems without needing to establish a direct connection.

3. Using PsExec: This Sysinternals tool allows attackers to execute processes on remote systems, facilitating lateral movement by launching commands or scripts on target machines.

4. Accessing SSH: For environments using Linux or Unix systems, Secure Shell (SSH) is commonly used for remote administration. Attackers may use stolen credentials to access these systems directly.

5. Lateral Tool Transfer: This technique facilitates further exploitation, such as deploying additional payloads or executing scripts on other machines while helping threat actors avoid detection and maintain control over multiple systems.

6. Remote Hijacking: After initially breaching a target environment, threat actors exploit vulnerabilities or harvested credentials to remotely access other endpoints. By doing so, they can then deploy tools, execute commands, or install malware.

7. Internal Spear Phishing: This social engineering technique allows threat actors to execute lateral movement by impersonating colleagues or executives from within an organization, sending emails requesting confidential information and credentials, or getting the victim to click on a malicious link that grants them deeper access.

8. Leveraging Application Access Tokens: These tokens are used to authenticate users and grant access to applications. Threat actors steal them using tools like Mimikatz, which allow them to impersonate authorized users.

This list is not exhaustive but is meant to highlight how an attacker can expand their access in a target environment via lateral movement in a myriad of ways. It’s all about what tools they have, what they have access to, and what will be the most efficient procedure that provides the most cover, so they are not detected by the organization’s cybersecurity architecture.

Why Do Threat Actors Use Lateral Movement?

A major reason threat actors utilize lateral movement is because it can be difficult for organizations to detect it once it happens.

Lateral movement leverages what’s referred to as “east/west” traffic which, within a network, is often considered ordinary. A user may check their email, then log into a cloud-based application, and then maybe look at certain assets, etc. However, “north/south” traffic — e.g., traffic that moves in and out of the network — will most likely be detected by firewalls and endpoint detection tools.

Once the threat actor is in a target environment, they can use the “east/west” traffic of lateral movement to expand their access without being noticed. If cyber attacks were heist movies, lateral movement would be the scene where the thief swipes a casino employee’s badge to move throughout back hallways on their way to the vault room.

Lateral movement is not the same as privilege escalation. Privilege escalation is often “north/south” and refers solely to the amount of access a user has to an application, asset, or network, and how that access grows. During an attack, a threat actor can gain credentials and escalate their privileges to give them access to another part of the environment, but that itself is not lateral movement.

How To Detect and Prevent Lateral Movement

A major defense for lateral movement is proactively identifying and containing the attack before lateral movements happens. However, this can be difficult for a number of reasons, including the sheer volume of initial access points an attacker could utilize. Additionally, dwell times — the time an attacker sits within a network before making a move — have shortened year over year, meaning security teams have less time and opportunities to spot it and stop it.

The timeframe before lateral movement occurs is called “breakout time,” and stopping an attack within this window reduces cost, impact, and potential business interruptions or downtime. It could also mean the difference between a cyber incident and a successful cyber attack.

There are two major ways to prevent lateral movement:

Real-Time Environment Monitoring
Advanced monitoring solutions, such as managed detection and response (MDR), can detect unusual user activity, rule changes within applications, or sudden movement by a single user across the environment. An organization with MDR can monitor this activity and map it back to the techniques mentioned above to detect patterns of behavior that resemble lateral movement.

Behavior Analysis
This is where that monitoring turns into investigation. It’s one thing to see “user did x then y then z” and another for software and human analysts to determine that behavior may be suspicious or fall in line with common lateral movement techniques.

Preventing lateral movement is a critical component of cybersecurity. A threat actor does not want to be detected and wants to work efficiently. If they are unable to make moves in the environment, it will lessen their ability to do so and reduce the impact of the incident. For example, stolen credentials that are difficult to leverage in an environment may prevent the attacker from continuing, especially when continuing will increase their chances of being detected and there are other organizations to target.

These prevention measures include:

  • Utilizing network isolation and network segmentation. This cuts off parts of the network from each other, preventing a threat actor from widening their scope or making moves once inside part of the network.
  • Employing vulnerability management. Threat actors often exploit vulnerabilities not just for initial access but for lateral movement to gain access to various applications. Proper patching and a robust vulnerability management program will close these gaps before they are exploited.
  • Implementing zero trust. Zero trust removes all explicit access and ensures a user must verify themselves to gain access to any asset or application. This will stop an attacker in their tracks, even if they have credentials, because they will be unable to verify themselves. Even if they are, they will be greeted by more locked doors and more combinations to try to crack. The idea is to not only reduce exposure to valuable applications and assets but slow these threat actors down until they give up or are detected.
  • Employing 24×7 monitoring and detection solutions. As mentioned above, monitoring is important, but if you can’t detect and correlate different events within an environment, you may not be able to stop an attack from escalating. By using an MDR solution, such as Arctic Wolf® Managed Detection and Response, your organization gains holistic visibility into your entire attack surface and can be assured that, if there is an event, you will be able to act quickly to prevent any lateral movement.

Discover how modern security operations are evolving to combat today’s most innovative cyber attacks in the Arctic Wolf 2024 Security Operations Report.

Explore the threats of today and how to prepare for tomorrow with our Arctic Wolf Labs 2024 Threat Report.

Share this post: