What is lateral movement?

You might have heard about or were affected by the 2013 Target data breach that affected more than 40 million customers’ payment card records. While the exact method of attack isn’t totally clear, according to this report from the US Senate, the gist looks like this:

1. Via spearphishing, bad actors stole credentials from one of Target’s vendors that had access to the Target internal network for electronic billing, contract submission and project management purposes.
2. Attackers used these credentials to gain access to the network, then to some of Target’s POS terminals.
3. The attackers gained further access to the network until reaching and compromising the servers that held the payment card data, possibly by exploiting default user credentials in IT management software.
4. The bad actors disguised their exfiltration as a legitimate software product to stay undetected.

The attackers were able to get into the network through what doesn’t appear to be a particularly privileged account. But in reality, this access was just enough to allow them to move through the network and steal data.

This type of movement is called lateral movement. In this blog, we’ll take a look at the methods, detection and prevention of lateral movement.

How do bad actors achieve lateral movement?

MITRE ATT&CK lists these as the main techniques bad actors use to laterally move through networks:

Exploitation of remote services: After gaining network access, adversaries may exploit remote systems with software vulnerabilities, looking for unpatched software, security software and/or servers.

Internal spearphishing: Adversaries can use their network access to gather information or exploit other users by impersonating legitimate users or controlling a user’s device. They may use a trusted internal account to get what they need while potentially staying under the radar.

Lateral tool transfer: Adversaries can copy tools or files between systems, including the distribution of malware.

Remote service session hijacking: Adversaries can hijack a legitimate remote session to log into a desired service. This includes both SSH and remote desktop session hijacking.

Remote services: Adversaries can use legitimate credentials to log into a service that accepts remote connections like remote desktop, network shares, cloud services, machines using virtual network computing (VNC) and more.

Replication through removable media: By modifying executable files on or loading innocent-looking malicious files to removable media, adversaries can gain initial or additional access.

Software deployment tools: Adversaries may use third-party administration, monitoring and/or deployment software to execute code remotely on target systems or to move to other systems.

Taint shared content: Adversaries can add malicious programs or scripts or exploit code on otherwise valid files on fileshares.

Use alternate authentication material: Adversaries may use alternate authentication material like password hashes, application access tokens or web session cookies to bypass normal access controls. They can also “pass the hash,” using stolen password hashes without having a cleartext password, or “pass the ticket,” using stolen Kerberos tickets without having an account’s password.

Detecting lateral movement

You might have noticed that a number of the techniques above use legitimate credentials and sessions authenticated by a valid user. This can make lateral movement notoriously difficult to detect — after all, it looks legitimate.

This is why it’s critical to both understand and continuously monitor your network’s behavior. Gathering telemetry about the devices accessing resources is necessary to determine a baseline behavior, allowing IT teams to recognize anomalies when/if they crop up. In general, you should determine:

• What devices and user accounts are accessing your network
• What resources are being accessed
• What actions were taking in the requested resources
• When were the resources accessed

It’s easier to recognize suspicious activity when you know this information — for example, why are there requests showing up at 2 AM in a company where people only work 9 to 5? Or why is someone in the marketing department trying to access accounting software (not that they should be able to, but that’s beside the point).

Monitoring your network behavior means analyzing heaps of data — much more than even a team of experienced humans can digest in a reasonable time. Using Artificial Intelligence (AI) and Machine Learning (ML) takes data processing from impossible to efficiently achievable. Not only can AI with ML spot network anomalies for you, it can identify novel threats and prevent further exploitation.

Preventing lateral movement

Implementing SIEM and analysis tools with AI and ML is a big step toward preventing lateral movement. Really, this is a part of the threat hunting practices that should be established in your organization. Threat hunting not only helps find active exploits in your system, but allows you to prevent attacks by identifying misconfigurations and vulnerabilities that could be exploited.

Another key way to prevent lateral movement is network segmentation — separating parts of your network into distinct subnets so bad actors hit a wall where they could otherwise hop to more privileged parts of your network. A part of this implementation is strict access control policies that include least-privilege access and multi-factor authentication. Zero Trust Network Access (ZTNA) aids in your network segmentation efforts by mandating strict authentication requirements every time a user requests access to an application. ZTNA continuously reevaluates that access is valid by monitoring device compliance and user identity, revoking access if either comes into question.

Key takeaways

• Lateral movement — movement throughout a network — is a significant and advanced threat.
• There are a variety of ways adversaries can move through a network that can look like legitimate actions.
• Establishing a baseline understanding of your network activity is necessary to spot anomalies that indicate lateral movement is happening in your network.
• Artificial intelligence and machine learning heavily aid in threat hunting.
• Segmenting your network and implementing strict access controls makes it significantly more difficult for bad actors to move laterally through your network.