What Is Lateral Movement?
Lateral movement is when a threat actor navigates through a breached environment, gaining new access and user privileges as they go. It is typically the second stage of a breach, occurring after initial access is gained through the root point of compromise, be that through external exposure like a misconfiguration or software exploit, or user error like social engineering or historic credential compromise.
Imagine you manage an apartment building. The root point of compromise would be the window you left open in your office. Lateral movement would be the burglar using your set of keys to open all the apartments in the building, looking for the best loot.
Once lateral movement has begun, the threat actor can compile enough access and privilege from which to launch an attack, exfiltrate or encrypt data, or remain in the system as an advanced persistent threat (APT), waiting for the perfect time to strike.
What Are the Stages of Lateral Movement?
Once a threat actor has gained access, they want to preserve that access for as long as needed to gather information, plan their attack, and carry it out. This is one of the reasons why it can be so difficult to detect an intrusion, as many threat actors bide their time, moving cautiously to avoid arousing suspicion or triggering any internal IT alerts. Lateral movement, then, progresses along a predictable series of steps:
Heists don’t happen without planning built from intelligence gathering. Bank robbers want to know the layout of the bank, how many guards are working and when they change shifts, how many tellers are working and who looks like the easiest mark. They’ll want to know the shortest route to the vault, as well as the best exits to utilize in their escape. A cyber attack is no different.
Before one can begin, threat actors need to understand the environment they’re in. They’ll explore the environment, map its systems and users, try and determine network configurations, and execute any processes they can (i.e., PowerShell commands) to both learn as much as they can about the environment and gain as much access as they can to it
Next, threat actors attempt to take over additional accounts. This can be done by moving vertically to gain additional permissions for the account they’ve already comprised, or by using information gleaned during discovery to obtain higher access vertically, all the way up to system-level privileges, which would allow them access to sensitive data and systems with the power to cripple the environment and the organization.
Finally, once the threat actor has studied the environment, gained access to additional accounts and devices, and identified their target or targets, the attack truly begins. It’s at this point that the threat actor is less concerned with being spotted and is focused solely on executing the plan they’ve spent so much time and effort creating.
What Kinds of Cyber Attacks Rely on Lateral Movement?
Lateral movement can spawn many kinds of cyber attacks, including:
- Ransomware: Lateral movement is essential in a ransomware attack, as it’s the primary method for a threat actor to gain access to more systems, servers, and devices, ensuring their ransom attack fully cripples the organization they’re attacking.
- Botnet: Just as in ransomware, lateral movement is an excellent method for a threat actor to build a network of bot-compromised machines that can be controlled and used to launch massive attacks.
- Nation-State Attacks and Corporate Espionage: When observation and intelligence-gathering is the primary motivation, lateral movement provides nation-states and rival organizations ample access to employee data, proprietary information and company secrets.
Lateral Movement vs. Pivoting vs. Horizontal Movement
In cybersecurity terms, both “pivoting” and “horizontal movement” imply the same sort of motion as lateral movement — where a threat actor moves across the network to other devices and servers. However, only lateral movement involves privilege escalation, with the threat actor gaining access to more accounts and deeper access into systems.
How to Prevent Lateral Movement
Much like a strong security posture requires both proactive and reactive defense, effectively preventing lateral movement requires preventive measures to keep threat actors from obtaining initial access, robust monitoring and detection capabilities to quickly discover when someone has breached your environment, and a solid incident response plan to stop the spread and permanently eject the threat actor from your environment.
- Vulnerability management ensures that you are identifying and remediating known vulnerabilities and hardening your environment against digital risk.
- Security awareness training prepares your employees to recognize and neutralize social engineering attacks and human error.
- Managed detection and response provides 24×7 monitoring of your endpoints, network and cloud, enabling you to quickly detect and respond to attacks.
- Incident response stops the attack and restores your organization to pre-incident business operations.