Learn what you can do to detect lateral movement and prevent lateral movement attack
After gaining access to an organization’s network, cybercriminals use lateral movement to escalate privileges, exploit vulnerabilities, and other malicious activity to gain access to assets and resources. Lateral movement is not an attack per se; it refers to the movement of an attacker within a victim’s network. Lateral movement is a stage that often leads up to a lateral movement attack. Attackers usually use lateral movement to extend the reach of the attack deeper into the victim’s network in an effort to find new systems or data on which they can apply malicious activity. Attackers may engage in lateral movement at any stage of an attack, but it is most common during the post-compromise phase. Once attackers have established an initial foothold, either through a successful infiltration or the exploitation of a vulnerability, they position themselves to expand their control more completely and gain unauthorized access to more valuable resources within the victim’s network.
Let’s take a closer look at how attackers scout networks for prospective new victims and the everyday tools they use to do it. Next, we’ll explain how cybercriminals use lateral movement attack methods to gain unauthorized access to your sensitive workflows, how to detect lateral movement, and what you can do right now to prevent it.
In the first step, hackers scan the infrastructure of targeted victim networks. The scanning process is carried out to gather intelligence about how a network is designed and layered and what roles and functions each layer has within the network. It can also ascertain what operating systems the network is using, what devices are being used on the network, and where on the network sensitive data and/or personally identifiable information may be.
Attackers may use a number of tools to carry out this first step in a lateral movement attack, these may include:
Short for network statistics, Netstat is a command-line tool that you can use in the command prompt to display statistics for all network connections. Conventional users rely on Netstat to understand open and connected ports to monitor and troubleshoot networking problems. For cybercriminals, Netstat helps gather information about how things interconnect in a potential victim’s network.
- ipconfig and ifconfig
ipconfigi s a Windows console application that gathers all data regarding current Transmission Control Protocol/Internet Protocol (TCP/IP) configuration values and shows it on a screen. ifconfig is a command-line interface tool that system administrators routinely use to display and analyze network interface parameters. Attackers use these tools to gain access to various network configurations.
- Address Resolution Protocol cache
This data repository is used to connect an IP address to a Media Access Control (MAC) address for a physical machine or device in a local network and helps to route packets to the right endpoint. Malicious actors can access this table to get data about IP addresses and their correlating media access control addresses to plan a lateral movement attack.
PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. Because PowerShell works with different technologies and platforms, “peaceful uses” include automating systems management and building, testing, and deploying solutions. Cybercriminals use it to break down the network systems a user has privileged access to and expose the user to attack.
Attackers use lateral movement attack methods to gain fraudulent credentials access or escalated privileges
The simplest lateral movement attack method uses phishing, spear phishing, or another form of social engineering to deceive users and get access credentials. Here are some other lateral movement attack methods:
An attacker can deploy keyloggers from a phishing email. The “phished” user accesses a malicious link or infected file, and the keylogger program records every one of the privileged user’s keystrokes and sends the information to the attacker.
As an open-source application, Mimikatz allows users to view and save authentication credentials. For attackers, it enables access to plaintext passwords, PINs, tickets, and hashes in a network’s memory.
- Pass the ticket attack
When attackers deploy a tool like Mimikatz to extract Kerberos authentication tickets, they can authenticate without a legitimate password. In this attack method, cybercriminals create or capture and reuse Kerberos tickets to make it look like they are a privileged user.
- Pass the hash attack
Attackers employ this technique to capture an authenticated hash of a password, then use the hash to log in to local and remote devices and virtual machines — without decrypting the hash. The login process having been completed; cyber criminals can then move to launch a lateral movement attack.
Three ways to prevent a lateral movement attack
In general, owing to the extraordinarily covert nature of the attack process, how to detect lateral movement is very difficult. Even organizations that have good cybersecurity postures in place can take weeks or months to detect unusual access behaviors generated from a lateral movement attack. The best plan is to put a strategy in place that can prevent a lateral movement attack from happening at all. There are a few ways to accomplish this:
Protect and harden endpoints. Endpoints are where network lines of communications originate and terminate. Endpoint security platforms can detect suspicious user entry and exit behavior. You must also keep current on patching and monitor log network activity for any devices that connect to your internal systems.
Regular penetration testing (pen testing) and threat-hunting projects through red team exercises can also help prevent a lateral movement attack. A good security team will conduct this testing four times a year at minimum. This testing is a very effective practice for detecting cyber attackers lurking in your network environment.
As environments get more diverse and architectures more complex, existing infrastructure tools are less capable than ever of protecting workloads. Microsegmentation isolates data and workloads from each other and limits lateral traffic, mitigating attackers’ ability to move freely in your system and mount a lateral movement attack. Here at TrueFort, we provide intelligent microsegmentation to prevent access to business-critical assets. Microsegmentation enables you to establish a trusted baseline of expected workload and account activity in operating environments in ways that security alerts alone cannot; curbing excessive entitlements for users and machines and enforcing automated blocking for network connections, service account usage, or command line execution outside the norm for any microsegment.