What is lateral movement?

Lateral movement, in the realm of network security, refers to the technique employed by attackers to propagate from an initial entry point into the wider network infrastructure. Various strategies are employed to accomplish this objective. For instance, a malicious attack might commence by introducing malware onto an employee’s desktop computer. Subsequently, the attacker endeavors to navigate laterally across the network, infecting additional computers, internal servers, and progressively advancing towards their ultimate target.

Attackers strive to maneuver discreetly within a network. Even if their initial infiltration or activities are detected on a specific device, they can sustain their presence across the network by infecting a wide array of devices.

Consider a scenario where a group of burglars gains entry to a house through an open window and disperses into different rooms. If one burglar is discovered in a particular room, the others can continue their thievery undeterred. Likewise, in the context of a network, lateral movement empowers an attacker to penetrate various components such as servers, endpoints, and application access, thereby complicating containment efforts.

Although certain aspects of lateral movement may be automated, it frequently involves a manual process orchestrated by the attacker or a group of attackers. This hands-on approach allows them to adapt their methods to the specific network they are targeting and enables them to promptly respond to security measures implemented by network and security administrators.

How does lateral movement happen?

The process of lateral movement begins with an initial point of entry into the network. This entry point may arise from various attack methods, such as a machine infected with malware that connects to the network, stolen user credentials (username and password), exploiting vulnerabilities through open ports on servers, or other similar approaches.

Typically, the attacker establishes a connection between the entry point and their command-and-control (C&C) server. The C&C server then issues commands to any installed malware and stores data collected from devices infected with malware or under remote control.

Once the attacker gains a foothold on a device within the network, they initiate a reconnaissance phase. During this stage, they gather extensive information about the network, including the compromised device’s access privileges and, if they have compromised a user’s account, the specific privileges associated with that account.

Following this, the attacker proceeds to the next stage, known as “privilege escalation,” which enables them to commence lateral movement within the network.

• Privilege escalation

Privilege escalation refers to the act of a user, whether authorized or unauthorized, obtaining higher privileges than they are supposed to have. In certain cases, privilege escalation can occur unintentionally within identity and access management (IAM) systems when user privileges are not properly monitored and assigned. Conversely, attackers deliberately exploit vulnerabilities in systems to elevate their privileges within a network.

If attackers gain entry to a network through a vulnerability or malware infection, they may utilize a keylogger to record users’ keystrokes and steal their credentials. Alternatively, they might initially infiltrate the network by stealing credentials through a phishing attack. Regardless of the method employed, attackers begin with a specific set of credentials and the associated privileges of that user account. Their objective is to maximize the potential of that account and subsequently expand their control to other machines, using credential theft tools to compromise additional accounts along the way.

Typically, attackers aim to acquire administrator-level privileges in order to gain the necessary access for causing significant damage or reaching their intended target. They achieve this by traversing through the network, laterally moving between systems until they successfully obtain administrator credentials. Once these credentials are obtained, the attackers essentially gain control over the entire network, granting them extensive power and control.

• Camouflage and countermeasures during lateral movement

During the lateral movement phase, the attacker remains vigilant regarding the countermeasures implemented by the organization’s security team. For instance, if the organization identifies a malware infection on a server and isolates it from the network to contain the threat, the attacker might delay their next actions to avoid detection on other devices.

To ensure persistent access, attackers may deploy backdoors, which serve as hidden entry points into otherwise secure systems. These backdoors enable them to regain entry to the network if their presence is discovered and successfully eradicated from all endpoints and servers.

Moreover, attackers strive to camouflage their activities within regular network traffic to evade detection by administrators who might be alerted by unusual network behavior. This camouflage becomes increasingly effective as they compromise additional legitimate user accounts.

What types of attacks use lateral movement?

Numerous types of attacks rely on lateral movement to accomplish their objectives, whether it is targeting multiple devices or navigating through a network to achieve specific goals. The following attack categories utilize lateral movement:

• Ransomware: Ransomware attacks aim to infect numerous devices to maximize their leverage for demanding ransom payments. Internal servers housing critical data essential to an organization’s daily operations are particularly targeted. By activating the ransomware infection, attackers severely disrupt the organization’s functions, albeit temporarily.

• Data exfiltration: Data exfiltration involves moving or copying data out of a controlled environment without proper authorization. Attackers engage in data exfiltration to various ends, such as stealing intellectual property, acquiring personal data for identity theft, or holding the stolen data for ransom (e.g., doxware attacks or specific types of ransomware attacks). Typically, attackers must traverse laterally from an initial point of compromise to reach their desired data.

• Espionage: Nation-states, organized cybercrime groups, or rival corporations may have motives to monitor an organization’s activities. If the objective of an attack is espionage rather than pure financial gain, attackers strive to remain undetected and embedded within the network for as long as possible. This stands in contrast to ransomware attacks, where the attacker eventually desires attention to extort a ransom. It also differs from data exfiltration, where the attacker may not be concerned about detection once they obtain the targeted data.

• Botnet infection: Attackers may incorporate compromised devices into a botnet. Botnets serve various malicious purposes, commonly employed in distributed denial-of-service (DDoS) attacks. Lateral movement assists attackers in expanding their botnet by adding as many devices as possible, augmenting its power.

How to stop lateral movement

Implementing certain preventive measures can significantly increase the difficulty for attackers to perform lateral movement:

• Conducting penetration testing: Organizations can employ ethical hackers to perform penetration testing, which involves thoroughly examining the network for vulnerabilities and attempting to infiltrate it without being detected. By sharing their findings, these hackers help the organization address and fix the security flaws that were exploited.

• Embracing Zero Trust security: This network security philosophy operates on the assumption that no user, device, or connection is inherently trustworthy. It requires continual re-authentication of both users and devices and adopts a least-privilege approach to access control. Furthermore, Zero Trust divides networks into smaller segments, making it harder for attackers to escalate privileges and easier for security administrators to detect and isolate initial infections. Access control is a fundamental part of this strategy.

• Employing endpoint security: Regularly scanning endpoint devices such as desktop computers, laptops, and smartphones using anti-malware software, alongside other security technologies, is crucial to bolster overall security measures.

• Implementing Identity and Access Management (IAM): Effective IAM involves closely managing user privileges, ensuring they are strictly aligned with their requirements. Granting excessive privileges increases the severity of potential account takeovers. Additionally, incorporating two-factor authentication (2FA) can impede lateral movement. With 2FA, compromising an account requires not only the user’s credentials but also the theft of the secondary authentication token, which poses a more significant challenge for attackers.

• Utilizing Toffs One: Toffs One offers a comprehensive solution that combines networking services with Zero Trust security. By integrating with identity management and endpoint security solutions, Toffs One replaces the need for multiple security products with a unified platform. This platform effectively prevents lateral movement and safeguards against other types of attacks. To learn more about Toffs One, visit their website.

By implementing these measures, organizations can enhance their security posture and mitigate the risks associated with lateral movement and other cyber threats.