- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Lateral movement techniques are a sophisticated and increasingly common way threat actors infiltrate and gain control of networks. In this article, we’ll review what lateral movement is, how it works, and how to protect against attacks. You’ll also learn about lateral movement paths, how to identify them, and steps you can take to improve your security posture against lateral movement techniques.
What is Lateral Movement?
Lateral movement is when an attacker gains initial access to one part of a network and then attempts to move deeper into the rest of the network — typically via remote desktop tools or remote administration tools (RATs).
Penetrating the security perimeter is considered a vertical movement (moving from the outside in). But once a bad actor has a foothold in your network, they can move through the network’s systems and machines horizontally—i.e., laterally—along what are called lateral movement paths (LMPs).
Lateral Movement Paths (LMPs)
LMPs are the steps an attacker takes to navigate your network and gain additional access to secure data.
There are numerous LMPs an attacker can use to gain further access to a network. And the risk created by LMPs grows as the organization grows. In other words, the more users join the network, the more logged-in sessions there are (which can be easily overlooked), and the more local administrator privileges are introduced to the network hierarchy.
Some of the most common methods of attack, such as credential theft and Pass the Ticket attacks, involve exploiting non-sensitive machines that share stored log-in credentials with sensitive machines. The non-sensitive machines essentially provide a bridge to the high-value, sensitive data attackers are interested in. In fact, research estimates that 85% of breaches involved a human element and, relatedly, that phishing and ransomware attacks went up by 11% and 6%, along with a 15-fold increase in misrepresentations to acquire credentials.
Lateral movement allows the attacker to retain access and avoid detection even if they’re discovered on the first infected machine.
How bad actors navigate LMPs
Step 1: Reconnaissance
After an attacker gets a foothold in the network, the next step is to perform internal reconnaissance to understand where they are in the network and what the structure looks like. During this stage, the attacker observes and maps the network, as well as its users and devices. With this information, they can uncover host naming conventions and hierarchies, identify operating systems and firewalls, and make strategic decisions about where to go next.
Step 2: Privilege Escalation
To infiltrate and move through a network, the attacker needs login credentials. They will then use those credentials to access and compromise other hosts, moving from device to device and escalating their privileges along the way—eventually gaining control of their target, such as a domain controller, a critical system, or sensitive data.
Stealing credentials is called credential dumping. Often, attackers will use social engineering tactics like phishing to trick users into sharing their credentials.
Step 3: Expanding access
By collecting credentials, the attacker can impersonate a user and gain what appears to be legitimate access to more hosts and servers. These steps can be repeated until the attacker gains access to their ultimate target and can exfiltrate data or sabotage key systems.
Lateral movement enables an attacker to maintain persistence within the network—even if one compromised device is discovered by the security team, the attacker has extended their presence across other devices, making it more difficult to eradicate them from the network.
That is why it is so important for security teams to understand and identify the potential LMPs within their networks.
Lateral Movement Detection
You already have security measures to keep bad actors out of your network. But what happens if they get past your perimeter defenses?
Today, security teams must move faster than ever to detect and eliminate threats. The average breakout time (the time it takes threat actors to move from initial access to lateral movement) fell by 67% over the past year—with more than one-third of adversaries breaking out in less than 30 minutes.
And once an attacker gains access to your network and secures valid credentials, it can be difficult to detect their movement because it can appear to be normal network traffic. In order to detect (and ultimately protect against) lateral movement, security teams need to know how adversaries can propagate within their systems and identify which critical assets they can reach.
Easier said than done.
Effectively detecting lateral movement in your network will typically require a combination of approaches, including mapping your LMPs and conducting real-time monitoring and investigation.
Identifying potential LMPs within your network puts you a step ahead of would-be attackers. This includes reviewing your network infrastructure and organizational hierarchy to uncover weaknesses—i.e., connections between non-sensitive and sensitive data, devices, or systems.
For instance, if you have one or more non-sensitive users with local admin privileges on a CFO’s laptop, that represents a vulnerable LMP. Once you map those potential pathways, you can take steps to reinforce, isolate, and secure those connections.
Monitoring and alerts
Because lateral movement involves remote control operated by a human (and not a machine), network traffic analysis tools can be programmed to quickly recognize suspicious behavior like attempts at internal reconnaissance.
Implement real-time monitoring to collect, normalize, and correlate data across your network and alert you to suspicious activity. Aggregating alerts will allow you to observe the progression and compounding activity of a threat—helping you zero in on real threats faster.
Investigation and behavioral analysis
In addition to monitoring and identifying LMPs, conduct regular behavioral analysis to investigate and surface any unusual activity in your network.
User and entity behavior analysis (UEBA) uses machine learning to identify patterns of behavior for each user, define the baseline (normal activity), and determine the significance of any activity that deviates from the norm. Understanding these pattern deviations can help you uncover suspicious activity and provide the evidence needed to support further investigation.
How to Prevent Lateral Movement and Improve Your Defensive Posture
Reducing the time it takes to detect and respond to a threat is key to limiting the damage (and costs) of lateral movement attacks. Enhance your security posture and prevent lateral movement across your network by taking the following steps:
- Evaluate your security strategy and ensure it includes both preventative solutions that stop intrusions in their tracks as well as detection and response solutions to automatically identify threats.
- Update your endpoint security solution. Many organizations still use legacy and standard security measures that are easily bypassed and compromised. Upgrade to a modern, comprehensive security solution that can detect and respond to threats faster.
- Separate functional duties (e.g., separate user and admin accounts) to minimize connections between sensitive and non-sensitive data.
- Enforce the Principle of Least Privilege (PoLP) that limits permissions to only those who need it. This reduces the number of people who can access sensitive data, thus reducing your attack surface.
- Implement network segmentation to isolate sensitive data from each other and prevent lateral movement outside the segment. That way an intrusion can be contained to one segment of your network, limiting the scope of the potential damage.
- Use multi-factor authentication (MFA) to validate user identities and make it harder for adversaries to access credentials. MFA adds an extra step (or two more) to the validation process, reducing the speed and ability of attackers to gain access to logins.
- Limit unnecessary lateral communications. Unfiltered peer-to-peer communications introduce major vulnerabilities to a network that could allow intruders to create backdoors and spread across your systems. Limit communications with host-based firewall rules that deny the flow of packets from other hosts in the network.
- Maintain good IT hygiene by regularly updating systems and applying patches. Outdated and unpatched systems are extra vulnerable to attack and can hide threats from detection until it’s too late.
Modernize your network security with StrongDM
Today, a staggering 54% of the techniques and tactics used to execute testing of lateral movement were missed—and 97% of the behaviors executed did not have a corresponding alert generated in the SIEM.
IT teams need comprehensive, modern security solutions that strengthen their defensive posture and stop lateral movement attacks in their tracks.
StrongDM can help.
StrongDM is a software-defined network that helps you
- Manage robust authorization and authentication.
- Enforce least privilege for more secure, role-based access controls.
- Limit your network attack surface.
- Audit network activity to record and isolate threats.
- Monitor your network in real-time to spot threats when and where they first occur.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.