Lateral Movement and How to Prevent It?

10 August 2022 | by Xavier Bellekens

lateral movement

What is Lateral Movement in Cybersecurity?

Once an attacker has gained unauthorized access to a computer network, they will often attempt a lateral movement in order to gain access to additional systems and sensitive data.

Lateral movement attacks refers to the technique of moving deeper inside a network after an initial compromise. In order to successfully move laterally, attackers often leverage stolen credentials or exploit vulnerabilities to gain access to new systems. Once they have established a foothold on a new system, they may then repeat the process in order to gain even deeper access.

Lateral movement can be difficult to detect and prevent, but it is essential for security teams to be aware of the risks. By understanding the techniques that attackers use for lateral movement, organizations can take steps to better protect their networks.

Why Protect Against Lateral Movement?

In the early days of cyberattacks, attackers would generally target a specific system or application and attempt to exploit it for their own gain. However, over time, attackers have become more sophisticated and now focus on compromising an entire network rather than a single asset. This shift is largely due to the widespread adoption of lateral movement tactics by advanced persistent threats (APTs).

The process for attaining this objective consists of gathering information about multiple systems and accounts, obtaining credentials to escalate privileges in order to gain access to the target system.

Lateral movement enables attackers to stealthily move throughout a network undetected by traditional security solutions. This makes it difficult for defenders to quickly identify and isolate the threat. Lateral movement is a key distinguishing factor between today’s APTs and the simpler cyberattacks of the past. As a result, organizations must now adopt more sophisticated detection techniques in order to defend against APTs.

In fact, detecting lateral movement early allows for

  • Reducing the damages caused and reduce the cost of the attack early
  • Implement security controls to reduce the damage during a successful cyber-attack

The Common Stages of Lateral Movement

There are four main stages of lateral movement: reconnaissance, credential dumping, escalation of privileges, and gaining access or execution.

Internal Reconnaissance

Reconnaissance is the process of gathering information about an enemy target. In the context of network security, reconnaissance refers to the act of identifying and mapping out the systems and structure of a network in order to find potential vulnerabilities.

Reconnaissance can be passive or active.

Passive reconnaissance involves collecting publicly available information about a target, such as looking up IP addresses or DNS records. Adversaries often start to identify operating systems, high value assets, host naming conventions, unpatched systems, domain controller, etc.

Active reconnaissance, on the other hand, involves directly interacting with a target system in order to gather information. Threat actors employ a variety of tools to obtain information about their targets. By conducting port scans and remote connections, attackers can learn about the layout of a network and what firewalls or other security measures are in place.

Additionally, attackers can use built-in Windows or support tools to gain information about a target system. These tools are often difficult to detect, giving cybercriminals a significant advantage.

These are some of the built-in tools that can be used by adversaries during their reconnaissance:

  • Netstat: The machine’s current network connections are displayed by netstat. This can be used to find important assets or learn more about the network.
  • Routing Tables: The connected host’s routes are shown in the local routing table.
  • Powershell: is a robust command-line and scripting tool that makes it easy to quickly identify network servers to which the current user has local admin access.
  • ARP cache: provides data relating IP addresses to physical addresses. Targeting specific machines inside the network is possible with the help of this information.

Credential Dumping

Credential dumping is the act of extracting sensitive information, from a computer system or from a user. Outside the network, a common method is known as typo squatting, which involves creating fake websites that closely resemble legitimate ones. For example, an attacker might create a fake login page for a popular social media site and trick users to provide valid login credentials. When users enter their credentials into this page, the attacker can then intercept the data and use it to gain legitimate access to the victim’s account. Another technique that is often used in credential dumping is social engineering. This involves tricking users into divulging their confidential information, such as by posing as a customer service representative. Attackers will often target businesses in this way.

Once they have gained access, they can use various tools to extract even more credentials from the system and retain access. These credentials can then be used to gain further access to other systems or to carry out fraudulent activities. Credential dumping is a serious security threat.

Some of tools used for credential dumping are:

  • pass-the-hash: An attack method known as “pass-the-hash” (PtH) involves capturing a password hash rather than the actual password character, which is then simply passed through for authentication and possibly do a lateral movement to access to other networked systems.
  • Pass-the-ticket: is a credential theft method that enables attackers to access resources (such file sharing and other computers) as a user without needing to know that user’s password by using stolen Kerberos tickets. This method is frequently used by adversaries to migrate laterally through a network of an organization in search of opportunities to advance their privileges or accomplish their objectives.
  • Keylogger: Using keylogging software, an attacker can directly intercept passwords as they are typed into the keyboard by a legitimate user. This can be used to obtain passwords of remote systems or gain administrative privileges.
  • Mimikats and FGDump: Cached plaintext passwords or authentication certificates can be taken from the memory of a compromised device using tools like Mimikatz and FGDump. They can then be applied to verify and recon on other network services.
  • Admin share: Gives access to the system root directory. These are the focal point of PsExec-style attacks. Additionally, the per-partition hidden shares give the attacker read-write access to remote system’s hard drive.

Privilege Escalation

Privilege escalation is the process of an attacker obtaining more privileges than they are supposed to have.

In the context of cybersecurity, this usually refers to an attacker who starts out with limited access to a system but is able to gain greater access through exploitation. This can be done in a number of ways, such as by compromised credentials or by exploiting vulnerabilities such as bypassing the endpoint security solution and bypassing security controls.

Once an attacker has elevated their privileges, they can wreak havoc on a system, gaining sensitive data or installing malware. To prevent privilege escalation attacks, organizations need to have strong security controls in place and a thorough security strategy.

Gain Access to sensitive data

In the most general sense, gaining access refers to the act of obtaining unauthorized entry into a system or resource. In the context of cybersecurity, gaining access usually refers to the act of circumventing security controls in order to gain unauthorized access to sensitive data or to a critical system. As cyberattacks are becoming increasingly sophisticated, with the use of lateral movement, attackers also have the ability to exfiltrate the data out of the network.

Why Adversaries Use the Lateral Movement Techniques

Easy to evade detection

Cyberattacks with valid credentials typically take between 110 and 315 days to find, from initial access, and 90 days to stop. In cybersecurity, 200 days is a lifetime. Giving the attacker plenty of time to move laterally, establish persistence, carry out reconnaissance, and acquire credentials.

Additionally, the security and network monitoring systems will not pick up the cyber-attack because it appears as a genuine user accessing genuine systems across the network or cloud and therefore yield normal network traffic.

This implies that even if it was found that the initial device was infected, the attacker may have already migrated around the network and remained undetected inside the target network for a considerable amount of time while searching for the perfect opportunity to escalate the attack and access other high value assets.

Time to identify vulnerabilities

By moving laterally and observing how each system functions, the attacker can discover the vulnerabilities of all adjacent systems. Before they launch their ultimate onslaught, they can continue doing this for weeks or even months.

Find the  Attack Surface Awareness Out

Instead of attempting to break into a network from the outside, attackers utilize the lateral movement approach to obtain elevated access to that network. Attackers can swiftly increase their privileges on a network and take control to access sensitive data and systems by using valid credentials.

Furthermore, by observing the network for some time, attackers can understand the attack surface and the cybersecurity awareness of the security team. By probing for responses, they can also learn about the organization’s incident response procedures. This information can be used to plan lateral movements to target specific systems within the organization.

What types of attacks use lateral movement?

Data exfiltration: also known as data extrusion, is the unauthorized transfer of data from a computer system. Data exfiltration can be performed manually by an attacker who has physical access to the system, or it can be done remotely using malware or other malicious software. In either case, the goal of the attacker is to steal sensitive information such as credit card numbers, passwords, or trade secrets. Data exfiltration can have devastating consequences for organizations, as it can lead to the loss of valuable data and damage to their reputation.

Espionage: is the act of gathering intelligence or classified information without the permission of the owner. In the world of cybersecurity, espionage can take many forms, from hacking into a company’s computer systems to stealing trade secrets. While some forms of espionage are illegal, others may be considered simply unethical.

Competing businesses, nation-states, or organized cybercrime gangs may all have an incentive to observe organizational activity. When espionage is the target of an attack rather than just monetary gain, the attackers will seek to ingratiate themselves as deeply as they can into the network in order to avoid detection.

Ransomware: is a type of malware that encrypts a victim’s files and demands a ransom payment in order to decrypt them. While ransomware attacks are not new, they have become increasingly common in recent years as criminals have found them to be an effective way to make money. Ransomware can be spread through phishing attacks, malicious websites, or compromised software updates. Some threat actors also use the double-ransom services and infiltrate the network first to exfiltrate key data, asking one ransom to decrypt the files and one to recover the stolen files.

Insider threat: is a security risk that comes from within an organization. Unlike an external threat, which comes from outside the organization, an insider threat arises from within the company, usually from someone who has authorized access to company resources. Insider threats can occur when an employee, contractor, or other insider misuses their access to company data or information systems. For example, an insider might steal confidential data, intentionally delete important files or exfiltrate intellectual property information.

Botnet infection: A botnet infection is a type of malware that allows attackers to take control of a victim’s Internet-connected devices and use them to carry out malicious activities. Botnets can be used for a variety of purposes, including launching Distributed Denial of Service (DDoS) attacks, stealing sensitive information, or spreading other malware. In most cases, victims are unaware that their devices have been compromised and are unknowingly participating in these activities.

Botnets are typically created by infecting devices with malware that allows remote control. Once a device has been infected, the attacker can add it to their botnet and use it to carry out their malicious activities. By moving laterally, an attacker can join as many devices as they can to their botnet, boosting its power.

What are the lateral movement security challenges?

Malicious lateral movement can be exceedingly difficult to detect once an attacker gains administrator rights and gains deeper access into a network, since it can seem to be “regular” network traffic. A human attacker might also alter plans and use various strategies and tools based on the information collected. And detection becomes even more difficult when the attacker makes use of system tools that are built-in. In order to prevent expensive losses, it is crucial to discover and get rid of these intruders as soon as feasible.

According to research, attackers spend 80% of an attack moving laterally. While the first compromise happens rather rapidly, switching focus from the compromised node to the ultimate objective takes significantly longer. The majority of the attacker’s time is spent moving from the initial breach to the desired outcome and requires compromising successive hosts.

Although in the network, the attacker has not yet carried out any malicious actions for which they initially broke into the target environment. Identifying them at this point is key to put an end to the attack. Thus, detecting lateral movement as early as possible is essential.

Monitoring internal networks is difficult. For instance, organizations have tried deploying SIEMs, machine learning, log analysis, human behavior analysis and anomaly-based detection. However, even the most cutting-edge analytics tools produce false positives as a result of the enormous volume of data. As a result, a lot of security teams fail to investigate the vast majority of alarms.

How to detect and detect lateral movement?

There are three critical steps you can and should take to fortify your defenses, reduce dwell time and prevent lateral movement attacks with no false positives.

Step 1: Deploy Deception Assets

The UK National Cyber Security Centre (NCSC) recommends using cyber deception to detect lateral movement. Many high-profile cyber-attacks occurred over months of dwell time. With adversaries moving laterally across entire infrastructures and geographies.

Many businesses still rely on outdated or conventional security measures, and modern attackers plan on it. This is why, using cyber deception is essential to defend against sophisticated threats.

Cyber deception is a tactic used by organizations to defend forward against cyber threats. By creating false information or “decoys” within their networks, organizations can bait attackers and mislead them about the true nature of their systems.

Detect Lateral Movements with Lupovis Snare Dashboard
Lupovis Snare Dashboard

Lupovis Snare allows to deploy decoys across an infrastructure, detect early and buy time for defenders to respond to an attack, and our Snare platform can also help to identify the attacker’s tactics and intentions. Cyber deception is an effective way to detect and prevent damage from a cyber-attack early, without the burden of false positives.

Step 2: Deploy Breadcrumbs

A breadcrumb, a honey file or a seed data is a type of file used in cyber deception, they are files designed to lure in and trap malicious actors who are attempting to gain unauthorized access to crucial data. The breadcrumb appears to the attacker as an attractive target, such as a sensitive database or word document or PDF file. However, when the attacker attempts to access the breadcrumb, they trigger a high fidelity alert.

Identify lateral movement attacks with Lupovis Snare
Lupovis Snare Attack Visualisation in Real-Time

Lupovis allows the deployment of breadcrumbs, seed data and honeyfiles seamlessly across an infrastructure.

Step 3: Proactively Hunt for Advanced Threats

Many organizations experience breaches not because there aren’t enough alerts, but rather because there are too many to look into. Alert fatigue may be brought on by excessive alerting and false positives.

It’s only a matter of time before a vital alert is missed if your security solutions are generating too many false positives or if you’re receiving alerts without context or a mechanism to prioritize them.

While deception is perfect for lateral movement detection, it can also be used for preventing lateral movement by hunting forward.

Lupovis reduces lateral movement risks with Lupovis Snare and Lupovis Prowl. Our AI-driven solutions allow security teams to cut down response times while handling more alert by seamlessly providing only true positive alert from across the infrastructure.

Consider boosting your internal teams with a security solution that provides active, hands-on threat hunting. Allowing you to find hidden threats, cut down on false positives, and give priority to the most serious threats, so they can be treated as soon as possible.

Lupovis Advanced Threat Protection

Lupovis Snare is the next generation of proactive security, designed to deploy deception assets inside and outside your network. By leading to a strengthened security posture, advanced threat intelligence, and high-fidelity alerts before being breached, the Snare platform provides you with the peace of mind that your business is protected.

Lupovis Prowl is the perfect solution for those who want to obtain information on an IP address. It’s a free service that provides users with valuable data, including IoC and IoA. Simply enter an IP address and our system will provide you with the requested data. Lupovis Prowl is the perfect solution for anyone who needs quick and easy access to IoC and IoA data. Try it today!

10 August 2022 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.