Lateral Movement: How to stop disguised attackers in time
by Tina Siering
What is Lateral Movement?
Lateral movement is techniques used by an attacker to move from one compromised environment to another within a network and gain access to additional resources. This can be done in a variety of ways, such as through stolen credentials, a phishing attack or exploiting security vulnerabilities. The goal of lateral movement is to gain access to sensitive data or systems that may not have been accessible from the original point of entry. It is a common tactic used incrementally by attackers to expand their sphere of influence within a network and increase the potential damage.
First, the attacker establishes a connection between the first infected machine and a command & control server. Through this connection, it is possible to send commands to all infected devices and receive collected data. After the threat actor has penetrated deeper into the network, it uses various tools to obtain extended permissions and thus ensures permanent access to the network. Even if the compromise of the first computer is discovered, he can still move unnoticed through the systems as a legitimate user. In the process, he collects further login data, expands his access rights and infects other computers until he has reached the actual target. In order to gain control over the entire network, he usually obtains the necessary administrator rights. The encryption and/or theft of data often takes place weeks or months after the initial infiltration.
The goal of lateral movement is to consolidate access while obtaining information about the network itself. The method is widely used: It is used in around 60 per cent of all cyber attacks. Among the most prominent cases in recent years were the SolarWinds attack, the NotPetya incidents and the WannaCry attack.
In which attacks do cybercriminals use lateral movement?
In order for hackers to build up as much pressure as possible on their victims with a ransomware attack, they need to obtain as high a level of authorisation as possible within the network. If successful, they temporarily paralyze processes necessary for business operations and can often enforce high ransom demands.
2. Data exfiltration
In data exfiltration, attackers move or copy valuable company data without authorization. They do this for various reasons, for example to gain access to sensitive data, to commit identity fraud or to extort a ransom. In most cases, the hackers gain access to the data by moving laterally from the initial entry point to the target system.
Espionage takes place, for example, between hostile states or competing companies. The goal of an espionage attack is not primarily financial gain, but the covert acquisition of information. The aim is therefore to remain unnoticed in the network for as long as possible and not to be discovered under any circumstances, in order to learn as much as possible about the victim.
4. Botnet attack
In a botnet attack, lateral movement enables the integration of as many devices as possible into the botnet. The more infected machines there are in a botnet, the more powerful the attack. Among other things, cyber criminals use botnets to send spam, to encrypt databases or for DDoS attacks that cause delays and failures of services or servers.
How hackers disguise themselves in lateral movement
Cybercriminals who move laterally in a network are always on guard. As soon as they notice that the organisation's IT security team has discovered the attack and initiated countermeasures, they stop their activities for the time being. The risk would be too great that the IT security experts could discover the other infected devices. Only when the victim feels safe do they continue their actions.
It is not uncommon for hackers to set up so-called backdoors. If they are caught and removed from all servers and devices, they can gain access to the network again at any time via these backdoors, bypassing the access security. In addition, attackers can blend their threat actions so cleverly with conventional network traffic that administrators do not notice any anomalies. The more legitimate user accounts the attackers have infected, the more undetected they can move around the network.
How to prevent lateral movement in your network
Lateral movement enables attackers to remain undetected in the network for weeks or even months and ultimately cause great damage. This makes it all the more important for companies and organizations to protect themselves against this attack tactic with the following security measures:
Effective patch management enables you to detect and close security gaps in your systems promptly and regularly. Cyber criminals will then not have the chance to gain access to your network in the first place.
Credentials are useless to hackers if successful login to a user account requires two or more credentials due to multi-factor authentication - such as a password combined with a security question or biometric feature.
The classic network structure of a company consists of two networks: the external network (= Internet) and the internal network (= LAN). This structure represents a vulnerability that is often exploited by cyber criminals. For example, if an employee in the home office is connected to the WLAN of the house connection and the VPN of his employer at the same time, hackers can exfiltrate company data via the local internet connection unnoticed if security mechanisms are lacking.
Even if the employee only has limited authorisations, it is in principle possible for fraudsters to gain access to the entire company network, including the administrator account. Therefore, on the one hand, as soon as a VPN connection is established, the connection to the local internet must be disconnected. Secondly, companies should divide their network into several segments and thus seal off internal systems from each other. This network segmentation prevents attackers from moving unhindered from one computer to the next via lateral movement.
Network segmentation is implemented through physically separated network structures and clearly defined security zones within the organisation. Each security zone is assigned certain security mechanisms that must be fulfilled in order to access resources in that zone. The challenges in large networks without sufficient network segmentation can be overcome with the help of micro-segmentation, in which sets of rules are set up per server.
Managed Detection and Response (MDR) Service
MDR services such as the Active Cyber Defense (ACD) service from Allgeier secion focus on proactive attack detection in the network. ACD reliably exposes malicious attacker communication to Command & Control servers and identifies compromises in time. By continuously analysing network traffic, Allgeier secion's external SOC team immediately uncovers malicious behaviour so that infected systems can be quickly isolated and cleaned up. This means that hackers do not even have the chance to move around the network unnoticed for months via lateral movement.
With lateral movement, cybercriminals are able to spread unnoticed within a network from the point of entry by moving from computer to computer in the infected environment, expanding their rights more and more. Once the intruders are in possession of administrator rights, their network traffic can hardly be distinguished from normal traffic, which makes detection massively more difficult.
However, to minimise the damage of a cyberattack, it is important that a compromise is contained and detected as quickly as possible with the help of effective protective measures. Network segmentation, which divides the network into multiple subnets so that unauthorised users cannot expand unchecked and gain access to valuable assets, has proven to be extremely effective in this regard. However, it is even better if a cyberattack is detected immediately after the first compromise. This is possible with Active Cyber Defense from Allgeier secion: the Managed Detection and Response (MDR) service monitors your network around the clock, enabling proactive protection against cyberattacks.