Lateral movement attacks are not new, but studies indicate that this category of cybercrime is becoming the new normal. In fact, 70% of all attacks include a lateral movement attempt. Today’s attackers are equipped with high-end tooling, AI-powered automation, and the patience required to move silently through a network.
The increasing popularity of lateral movement attacks, and the increasingly distributed nature of networks, put everyone at risk. Each endpoint—from smartphones and laptops, through smart printers and scanners, to servers and routers—could serve as a point of entry. Each user—from veteran IT professionals and CEOs, through new employees, random guests, and third-party collaborators—could be tricked into granting access to the network.
In this article, you’ll learn what lateral movement really is, and which techniques are commonly used during lateral attempts.
Lateral movement is a tactic used by hackers to move through a network in order to access or damage data or assets. When employing this tactic, attackers use a variety of methods and tools to gain access and privileges. They then use this access to move between devices and components, isolating targets, mapping the system, and accessing data.
How it works
Lateral movement is employed after an attacker gains access to a system via an endpoint. This is typically achieved with compromised credentials. As an attacker moves through a system, they collect other credential information and exploit vulnerabilities to gain additional access. Often, an attacker will take control of several system points and hold credentials to regain access in case they are discovered.
Lateral movement security challenges
According to research by Smokescreen, 80% of the time spent on an attack is for lateral movement. Traversing a network takes time and attackers do not initially know where their target data is stored so they must spend significant time locating it.
Identifying attackers during lateral movement can help you negate an attack. At a minimum, you should be able to reduce the amount of damage done. However, catching attackers can be challenging since it requires effective behavior analysis to identify the abuse of credentials. This typically requires a combination of log analysis, system information and event management (SIEM) solutions, and machine learning.
There are many variations to lateral movement attacks but all use the same basic strategy. An attacker gains access to vulnerable assets and then seeks ways to increase their privileges, gaining access to more valuable resources. This can be achieved with a variety of techniques, the most common of which are introduced below.
Token stealing involves extracting credential information from system memory. This can be accomplished with tools such as mimikatz and Windows Credential Editor. Using these tools, attackers can locate a service account and generate Kerberos tickets which they can use to elevate their privileges. Kerberos is an authentication protocol used to authenticate users in a non-secure network.
Using stolen credentials is the most common way attackers enter and traverse a system. Compromised credentials enable an attacker to move through a system without detection by traditional tools. This is because attackers are using the system “as intended” and credentials pass authentication.
Frequently, attackers gain credentials that have been leaked but continue to be used. These credentials are often originally stolen through social engineering, phishing, or brute-force, and then sold on dark web exchanges.
Whenever a user logs into a Windows system, a logon script is run. These scripts can perform admin functions, execute programs, and send information to servers. This range of utility makes such scripts a prime target and tool for attackers. If attackers can modify these scripts, they can expand their access and create persistent access points.
Admin shares contain information on which users have administrative privileges in a system. When an attacker is trying to determine which credentials are useful, they try to access these shares to determine that information.
To access shares, attackers must first gain credentials with permissions for remote management systems through C$ or ADMIN$. C$ provides access to the system’s C:\ drive while Admin$ provides access to the OS. As attackers gain credentials, they typically check to see if credentials they’ve collected have access to these shares.
Attackers can use Powershell attacks to avoid traditional antivirus technologies. These attacks take advantage of tools built into Windows, bypassing security under the cover of legitimate system processes. With Powershell, attackers can run malicious scripts, steal in-memory credentials, automate movement between devices, and modify system configurations.
PSexec is a utility that system administrators can use to remotely control and execute commands in Windows from the command line. Like Powershell, it can enable attackers to hide under the cover of privileged processes to avoid detection. In many lateral movement attacks, an attacker will begin immediately trying to gain access to utilities such as PSexec.
Mobile systems are just as vulnerable to lateral attack techniques as traditional systems although the methods used may differ. The two most common methods used against mobile systems are:
- Attacking a PC via USB connection—mobile devices are used to impersonate a USB device, granting access when plugged into a system endpoint. This technique is often used with Android devices but has not been seen with iOS devices.
- Exploit enterprise resources—attackers use mobile device connections to network resources to infiltrate a system. DressCode is an example of malware used to implement this technique. With it, attackers can create a “general purpose tunnel” into a network.
Lateral movement is a stealth attack used to thoroughly investigate your network for exploits. The popularity of this type of cyberattack is possibly due to its high returns. Lateral movement can be achieved independently, but it’s often the result of organized APT attempts.
There’s no one proven method of defending against lateral movement. Rather, to ensure protection you should continuously monitor your network and enforce cybersecurity practices throughout all privilege levels.
Shifting security to the left can also help, as well as educating your users on proper cybersecurity policies. If you are working with a cybersecurity company, make sure they are aware of your policies and standards. The network is a collaborative ecosystem that should be protected by all of its users.