Today, cyber attacks are not only more abundant, but they are also more complex, with attackers often using a range of methods to get to your most sensitive data and valuable network assets. One preferred technique is lateral movement.
This guide describes this particular method and explains how lateral movement is now more widespread as attackers employ automated tools and bots. It also shows how small and medium-sized businesses are at risk due to the automation of lateral movement techniques.
Lateral movement is an approach used by attackers to systematically transverse a network to access or damage valuable assets or data.
The attacker uses tools and methodologies to obtain access and privileges, which let them move laterally between applications and devices in a network to isolate targets, map the system and ultimately gets to the high-value targets.
How it works
Lateral movement tends to take place following the initial compromise of an endpoint or server. This attack methodology requires the additional compromise of user account credentials. Using these account credentials, the attacker attempts to access other nodes.
As an attacker gathers information about the environment, they make parallel attempts to steal credentials, exploit misconfigurations, or isolate software vulnerabilities so they can dig deeper into the network. The attacker then uses lateral movement to control key points in the infected network. These additional positions help the attacker maintain persistence even if a security team detects them on a compromised machine.
Lateral movement security challenges
Research shows that attackers spend 80% of an attack during lateral movement. While the initial compromise takes place relatively quickly, pivoting from the compromised node to the final goal is a much longer process. The attacker spends most of their time transitioning from the initial breach to the final goal.
Although in the network, during the initial breach the attacker has not yet performed the harmful action for which they infiltrated the target environment in the first place. If you can identify them during this stage, you will likely end the attack. Identifying lateral movement is thus potentially very effective.
However, monitoring internal networks is challenging. Organizations have attempted using, for example, log analysis, machine learning, SIEM’s, and anomaly-based detection. However, due to the sheer volume of data, even the most innovative analytics solutions generate false positives. Consequently, many security teams don’t manage to investigate the large majority of alerts.
Lateral Movement and Advanced Persistent Threat Campaigns
An Advanced Persistent Threat (APT) is a targeted and prolonged cyber attack, where an attacker accesses a network and stays undetected for an extended length of time. The goal of an APT attack is typically to steal data or to sabotage the target environment.
The results of APT assaults include:
Compromised sensitive data or information, including employee or user information
Intellectual property theft, including patented or trade secrets
Damage to key organizational infrastructures, including database deletion
Sabotage physical operations of critical infrastructure
Lateral Movement Theft Enabling Techniques Used in an APT Offense
In an APT offense, attackers start by gathering data on the target organization, including its organizational structure and network environment. The data is then used for social engineering schemes to obtain entry into the network, typically through compromising an endpoint.
Once attackers gained a foothold on an endpoint within the targeted environment, they begin to gather information on other machines and user accounts and attempt to harvest user account credentials either from the endpoint’s memory or from network traffic. These credentials provides them with access to other endpoints or servers in the environment.
Attackers gather information, such as operating systems, network hierarchy, and resources used in the servers, to map the environment and understand where the sensitive data is stored.
Some operating system utilities attackers can use to do internal reconnaissance:
Netstat — reveals the machines current network connections. Used for seeing more critical assets or to learn of the network they are linked to.
IPConfig/IFConfig — provides access to location information and the network configuration
ARP cache — offers information of the IP address to the physical address. Used to target individual machines or for evasion techniques.
Local routing table — shows the current routes and communication paths for the host.
PowerShell — a Windows scripting and command line tool.
Infiltrating other computers
Attackers use stolen credentials to remotely access desktops. IT support staff often access desktops this way, so remote access is generally not linked to a persistent attack. Furthermore, attackers may also access domain credentials to log into servers, network systems, and switches.
Attackers use remote control tools to target other desktops in the network and carry out steps such as scheduling tasks, executing programs, and controlling data collections on systems.
The attacker uses built-in system or IT support tools such as:
Remote Desktop Protocol (RDP, PsExec, AT, VBScript and open source tools including Metasploit.
PowerShell and Windows Management Instrumentation (WMI) are some newer techniques used by attackers.
Credential Theft Techniques
Once inside the network, attackers look to move to new territories and broaden their control. The attackers single out other “territories” they want to access and then work towards obtaining login credentials.
To access these territories attackers can use the following techniques:
APR spoofing — attackers can place themselves in communication in the switched network by generating unwarranted fake APR replies and requests. This is a typical man-in-the-middle attack.
DNS responder — attackers make use of stolen credentials to access domain registry systems and modify information. Domain Name Service (DNS) is the technology used to direct domain names to the IP address where the information is accessible.
SMB relay — relies on NTLM Version 2 authentication, used in most companies. Attackers can use this to listen to the network to authenticate as a user, without the need for a password. They can thus apprehend traffic, redirect it, and gain unauthorized access to the system.
Lateral Movement Techniques
The tools may vary, but the typical strategy is to gain access to a lower privileged, lower protected asset and then to increase privileges and begin looking for valuable targets on the network.
Distributed component object model
Windows DCOM is transparent middleware that broadens the scope of Component Object Model (COM) on remote systems, via remote procedure call.
An attacker can use DCOM as a lateral movement technique, and remotely gain shellcode execution via Office applications and other Windows objects that have vulnerable methods, or execute macros in current documents.
Exploitation of services
Attackers can exploit a programming error in a service, a kernel, a program, or an operating system software, to remotely execute code.
The attacker sees if the remote system is vulnerable, which can be achieved via, for example, network service scanning. The attacker looks for vulnerable software, the lack of patches that could point to a vulnerability, or security software that could be used to contain or isolate remote exploitation.
The admin share is at the center of PsExec style attacks and provides the attacker with access to the system root directory. Furthermore, the per-partition hidden shares provide the attacker with read-write access to the hard-drive of the remote system.
Pass the hash
Attackers can use the encrypted hash of a password to access remote servers without knowledge of the plaintext password. Once they have gained the password hashes, the attacker transfers them to other services. They do not need to employ dictionary or brute-force attacks on the hash.
Pass the ticket
Uses Kerberos tickets. The attacker does not need to have access to the password of an account. Attackers seize valid accounts for valid Kerberos tickets for credential dumping.
Lateral Movement Employed by Automated Tools
The traditional concept of lateral movement: the human element
Lateral movement was traditionally a series of manual measures undertaken by a human attacker. The attacker actor would manually gain access to a secure environment, isolate the most valuable or vulnerable targets, progress to other trusted assets, expand the extent of their access, and finally move towards a high-value target.
Lateral movement today
Today, lateral movement has been automated and commoditized and as such is often deployed by automated bots and tools. Instances of the automation of lateral movement include:
WannaCry — a ransomware attack, which took place in May 2017. This global cyber attack made use of a largely unpatched Windows exploit for lateral movement. WannaCry is a ransomware worm that spread across several computer networks. After infecting a Windows computer, it encrypts files on the hard drive of a PC, so users cannot gain access, then pressures the user to make a ransom payment in bitcoin to decrypt the files.
The WannaCry malware checks the “kill switch” domain name; if it isn’t identified, then the ransomware encrypts the data of the computer. It then seeks to exploit the Windows Server Message Block (SMB) vulnerability, to reach out to computer on the internet and laterally to computers on the current network.
WannaMine — a cryptocurrency-mining malware, became public in April 2017. It took CPU power of organizations to mine Monero. The malware makes use of the Mimikatz credential harvester to gain legitimate credentials and move laterally within the network. If it cannot gain credentials it will leverage the EternalBlue exploit.
WannaMine uses “living off the land” strategies for persistence, including Windows Management Instrumentation (WMI) permanent event subscriptions. The malware is fileless in character and leverages PowerShell for infection. It uses credential harvester Mimikatz to gain access to legitimate credentials that let it propagate and move laterally. If this fails then the worm seeks to attack the remote system through EternalBlue.
EternalBlue — is an exploit created by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was, for example, used to help carry out the 2017 NotPetya cyberattack on June 27, 2017. It exploits a vulnerability in Microsoft’s execution of the Server Message Block (SMB) protocol. EternalBlue is used as either a method of lateral movement or an initial compromise vector.
NotPetya — researchers at a Kaspersky Lab claim that organizations are the target of a new form of ransomware, which they have called NotPetya. Kaspersky data indicates that 2,000 users have been attacked to date, with organizations in the Ukraine and Russia bearing the brunt. Researchers at Symantec believe the ransomware, like WannaCry, is leveraging the EternalBlue Microsoft Windows exploit.
Cynet Advanced Threat Protection
Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against threats, including lateral movement attacks, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
Cynet stops lateral movement and protects your sensitive data:
Monitoring across three planes — Cynet 360 safeguards all attack surfaces by tracking three planes; network traffic, process behavior, and user activity. Continuous monitoring across this triad offers increased visibility into threats such as lateral movement attacks.
Pass the Hash detection — Cynet tracks and monitors network communication and uses a vast set of correlation and analysis methods to identify traffic patterns that signify Pass the Hash.
User anomaly detection — Cynet monitors the activity of users, isolating their behavioral patterns and giving them a real-time risk score, which is based on their interactions with hosts, files and network traffic, and their activity type. Cynet can identify anomalous logins and see, according to their context, if they are a part of lateral movement.
Beyond attack detection and prevention — using Cynet organizations can proactively monitor their internal environment, including endpoints, files, network, and hosts. This can help them reduce the attack surface and the possibility of lateral movement attacks.
Learn more about how Cynet 360 can protect your organization against lateral movement and other advanced threats.
Ebook Free Download
Securing Your Organization’s Network on a Shoestring
How to protect your resource-constrained organization’s endpoints, networks, files and users without going bankrupt or losing sleep.