What is Lateral Movement in cyber-attacks?

What is Lateral Movement in cyber-attacks?

Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts.
Lateral movement refers to the techniques that a cyber-attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools.
Lateral movement allows a threat actor to avoid detection and retain access, even if discovered on the machine that was first infected. And with a protracted dwell time, data theft might not occur until weeks or even months after the original breach.
After gaining initial access to an endpoint, such as through a phishing attack or malware infection, the attacker impersonates a legitimate user and moves through multiple systems in the network until the end goal is reached. Attaining that objective involves gathering information about multiple systems and accounts, obtaining credentials, escalating privileges and ultimately gaining access to the identified payload.
In lateral movement attacks, the attacker takes advantage of instances when sensitive users sign in to a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user.
What is a lateral movement path?
Lateral movement is when an attacker uses non-sensitive accounts to gain access to sensitive accounts. Attackers use lateral movement to identify the administrators in your network and learn which machines they can access. With this information, and further moves, the attacker can take advantage of the data on your domain controllers.

How Can You Observe If Someone is making LATERAL MOVEMENT in your network?

There are so many methods which they can use to make lateral movement…
➢ Abnormal modification of sensitive groups
➢ Broken trust between computers and domain
➢ Brute force attack using LDAP simple bind
➢ Encryption downgrade activity
➢ Honeytoken activity
➢ Identity theft using Pass-the-Hash attack
➢ Identity theft using Pass-the-Ticket attack
➢ Kerberos Golden Ticket activity
➢ Malicious data protection private information request
➢ Malicious replication of Directory Services
➢ Massive object deletion
➢ Privilege escalation using forged authorization data
➢ Reconnaissance using account enumeration
➢ Reconnaissance using Directory Services queries
➢ Reconnaissance using DNS
➢ Reconnaissance using SMB session enumeration
➢ Remote execution attempt detected
➢ Sensitive account credentials exposed & Services exposing account credentials
➢ Suspicious authentication failures
➢ Suspicious service creation
➢ Suspicion of identity theft based on abnormal behavior
➢ Unusual protocol implementation

How To Prevent or Detect Lateral Movement In The Network?

Step 1: Update Your Endpoint Security Solution
Many high-profile attacks occurred over months of dwell time and moved laterally to easily evade standard security. Modern attackers count on the fact that many organisations continue to rely on legacy or standard security solutions — the kind of technology that is easily bypassed by modern hacking tools. Now it’s mandatory to upgrade to comprehensive technology that includes next-gen AV and behavioral analysis capabilities if you aim to combat today’s sophisticated attacks.
Also, reevaluate your security strategy to ensure that you have the most effective security approach possible — one that includes both prevention technology to stop intrusion attempts and full EDR (endpoint detection and response) to automatically detect suspicious activity.
Step 2: Proactively Hunt for Advanced Threats
Many organisations fall victim to breaches not because of a lack of alerts but because they have too many to investigate. Over-alerting and false positives can result in alert fatigue.
If your security solutions are delivering too many false positives, or you’re getting alerts with no context and no way to prioritize them, then it’s only a matter of time before a critical alert gets missed. It’s vitally important to have real experts proactively looking at what’s occurring in your environment and sending detailed alerts to your team when unusual activity is detected.
Consider augmenting your internal teams with a security solution that provides hands-on expertise threat hunting that can monitor proactively for hidden threats and minimise false positives, while providing prioritization to ensure that the most critical alerts are addressed immediately.
Step 3: Maintain Proper IT Hygiene
Eliminate vulnerabilities such as outdated or unpatched systems and software that may be lurking in your network environment. Exploits can remain hidden for long periods of time before becoming active, and organizations will be exposed if they fail to apply patches and updates across all of their endpoints.
Ultimately, your best defense is to make sure your organization is deploying the most effective technology currently available.
Achieving this requires true next-generation solutions such as Endpoint detection and response (EDR), managed threat hunting, next-gen AV with behavioral analytics and machine learning, and automated threat intelligence. These tools are key to gaining the visibility and context you need to meet critical, outcome-driven metrics and win the race against today’s — and tomorrow’s — most sophisticated adversaries.
Lateral movement is a key tactic that distinguishes today’s advanced persistent threats (APTs) from simplistic cyberattacks of the past. Network defenders must be in habit of digging deeper into the logs & carefully examine the security EVENTS flagged by SIEM, etc.


Pentester , Cyber World Enthusiast

Leave a Reply