Prefer a one-on-one demo? Click here
Today, cyber attacks are not only more abundant, but they are also more complex, with attackers often using a range of methods to get to your most sensitive data and valuable network assets. One preferred technique is lateral movement.
This guide describes this particular network attack method and explains how lateral movement is now more widespread as attackers employ automated tools and bots. It also shows how small and medium-sized businesses are at risk due to the automation of lateral movement techniques.
In this page:
Lateral movement is an approach used by attackers to systematically transverse a network to access or damage valuable assets or data.
The attacker uses tools and methodologies to obtain access and privileges, which let them move laterally between applications and devices in a network to isolate targets, map the system and ultimately gets to the high-value targets.
Lateral movement tends to take place following the initial compromise of an endpoint or server. This attack methodology requires the additional compromise of user account credentials. Using these account credentials, the attacker attempts to gain unauthorized access to other nodes.
As an attacker gathers information about the environment, they make parallel attempts to steal credentials, exploit misconfigurations, or isolate software vulnerabilities so they can dig deeper into the network. The attacker then uses lateral movement to control key points in the infected network. These additional positions help the attacker maintain persistence even if a security team detects them on a compromised machine.
Research shows that attackers spend 80% of an attack during lateral movement. While the initial compromise takes place relatively quickly, pivoting from the compromised node to the final goal is a much longer process. The attacker spends most of their time transitioning from the initial breach to the final goal.
Although in the network, during the initial breach the attacker has not yet performed the harmful action for which they infiltrated the target environment in the first place. If you can identify them during this stage, you will likely end the attack. Identifying lateral movement is thus potentially very effective.
However, monitoring internal networks is challenging. Organizations have attempted using, for example, log analysis, machine learning, SIEM’s, and anomaly-based detection. However, due to the sheer volume of data, even the most innovative analytics solutions generate false positives. Consequently, many security teams don’t manage to investigate the large majority of alerts.
An Advanced Persistent Threat (APT) is a targeted and prolonged cyber attack, where an attacker accesses a network and stays undetected for an extended length of time. The goal of an APT attack is typically to steal data or to sabotage the target environment.
The results of APT assaults include:
In an APT offense, attackers start by gathering data on the target organization, including its organizational structure and network environment. The data is then used for social engineering schemes to obtain entry into the network, typically through compromising an endpoint.
Once attackers gained a foothold on an endpoint within the targeted environment, they begin to gather information on other machines and user accounts and attempt to harvest user account credentials either from the endpoint’s memory or from network traffic. These credentials provides them with access to other endpoints or servers in the environment.
Attackers gather information, such as operating systems, network hierarchy, and resources used in the servers, to map the environment and understand where the sensitive data is stored.
Some operating system utilities attackers can use to do internal reconnaissance:
Attackers use stolen credentials to remotely access desktops. IT support staff often access desktops this way, so remote access is generally not linked to a persistent attack. Furthermore, attackers may also access domain credentials to log into servers, network systems, and switches.
Attackers use remote control tools to target other desktops in the network and carry out steps such as scheduling tasks, executing programs, and controlling data collections on systems.
The attacker uses built-in system or IT support tools such as:
Once inside the network, attackers look to move to new territories and broaden their control. The attackers single out other “territories” they want to access and then work towards obtaining login credentials.
To access these territories attackers can use the following techniques:
The tools may vary, but the typical strategy is to gain access to a lower privileged, lower protected asset and then to increase privileges and begin looking for valuable targets on the network.
Windows DCOM is transparent middleware that broadens the scope of Component Object Model (COM) on remote systems, via remote procedure call.
An attacker can use DCOM as a lateral movement technique, and remotely gain shellcode execution via Office applications and other Windows objects that have vulnerable methods, or execute macros in current documents.
Attackers can exploit a programming error in a service, a kernel, a program, or an operating system software, to remotely execute code.
The attacker sees if the remote system is vulnerable, which can be achieved via, for example, network service scanning. The attacker looks for vulnerable software, the lack of patches that could point to a vulnerability, or security software that could be used to contain or isolate remote exploitation.
The admin share is at the center of PsExec style attacks and provides the attacker with access to the system root directory. Furthermore, the per-partition hidden shares provide the attacker with read-write access to the hard-drive of the remote system.
Attackers can use the encrypted hash of a password to access remote servers without knowledge of the plaintext password. Once they have gained the password hashes, the attacker transfers them to other services. They do not need to employ dictionary or brute-force attacks on the hash.
Uses Kerberos tickets. The attacker does not need to have access to the password of an account. Attackers seize valid accounts for valid Kerberos tickets for credential dumping.
Lateral movement was traditionally a series of manual measures undertaken by a human attacker. The attacker actor would manually gain access to a secure environment, isolate the most valuable or vulnerable targets, progress to other trusted assets, expand the extent of their access, and finally move towards a high-value target.
Today, lateral movement has been automated and commoditized and as such is often deployed by automated bots and tools. Instances of the automation of lateral movement include:
Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against threats, including lateral movement attacks, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
Cynet stops lateral movement and protects your sensitive data:
Learn more about how Cynet 360 can protect your organization against lateral movement and other advanced threats.