What is Lateral Movement in cyber-attacks?
Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts.
Lateral movement refers to the techniques that a cyber-attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools.
Lateral movement allows a threat actor to avoid detection and retain access, even if discovered on the machine that was first infected. And with a protracted dwell time, data theft might not occur until weeks or even months after the original breach.
After gaining initial access to an endpoint, such as through a phishing attack or malware infection, the attacker impersonates a legitimate user and moves through multiple systems in the network until the end goal is reached. Attaining that objective involves gathering information about multiple systems and accounts, obtaining credentials, escalating privileges and ultimately gaining access to the identified payload.
In lateral movement attacks, the attacker takes advantage of instances when sensitive users sign in to a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user.
What is a lateral movement path?
Lateral movement is when an attacker uses non-sensitive accounts to gain access to sensitive accounts. Attackers use lateral movement to identify the administrators in your network and learn which machines they can access. With this information, and further moves, the attacker can take advantage of the data on your domain controllers.
-
How Can You Observe If Someone is making LATERAL MOVEMENT in your network?There are so many methods which they can use to make lateral movement...
1. Abnormal modification of sensitive groups
2. Broken trust between computers and domain
3. Brute force attack using LDAP simple bind
4. Encryption downgrade activity
5. Honeytoken activity
6. Identity theft using Pass-the-Hash attack
7. Identity theft using Pass-the-Ticket attack
8. Kerberos Golden Ticket activity
9. Malicious data protection private information request
10. Malicious replication of Directory Services
11. Massive object deletion
12. Privilege escalation using forged authorization data
13. Reconnaissance using account enumeration
14. Reconnaissance using Directory Services queries
15. Reconnaissance using DNS
16. Reconnaissance using SMB session enumeration
17. Remote execution attempt detected
18. Sensitive account credentials exposed & Services exposing account credentials
19. Suspicious authentication failures
20. Suspicious service creation
21. Suspicion of identity theft based on abnormal behavior
22. Unusual protocol implementation
-
How To Prevent or Detect Lateral Movement In The Network?Step 1: Update Your Endpoint Security Solution
Many high-profile attacks occurred over months of dwell time and moved laterally to easily evade standard security. Modern attackers count on the fact that many organizations continue to rely on legacy or standard security solutions — the kind of technology that is easily bypassed by modern hacking tools. Now it’s mandatory to upgrade to comprehensive technology that includes next-gen AV and behavioral analysis capabilities if you aim to combat today’s sophisticated attacks.
Also, reevaluate your security strategy to ensure that you have the most effective security approach possible — one that includes both prevention technology to stop intrusion attempts and full EDR (endpoint detection and response) to automatically detect suspicious activity.
Step 2: Proactively Hunt for Advanced Threats
Many organizations fall victim to breaches not because of a lack of alerts but because they have too many to investigate. Over-alerting and false positives can result in alert fatigue.
If your security solutions are delivering too many false positives, or you’re getting alerts with no context and no way to prioritize them, then it’s only a matter of time before a critical alert gets missed. It’s vitally important to have real experts proactively looking at what’s occurring in your environment and sending detailed alerts to your team when unusual activity is detected.
Consider augmenting your internal teams with a security solution that provides hands-on expertise threat hunting that can monitor proactively for hidden threats and minimize false positives, while providing prioritization to ensure that the most critical alerts are addressed immediately.
Step 3: Maintain Proper IT Hygiene
Eliminate vulnerabilities such as outdated or unpatched systems and software that may be lurking in your network environment. Exploits can remain hidden for long periods of time before becoming active, and organizations will be exposed if they fail to apply patches and updates across all of their endpoints.
Ultimately, your best defense is to make sure your organization is deploying the most effective technology currently available.
Achieving this requires true next-generation solutions such as Endpoint detection and response (EDR), managed threat hunting, next-gen AV with behavioral analytics and machine learning, and automated threat intelligence. These tools are key to gaining the visibility and context you need to meet critical, outcome-driven metrics and win the race against today’s — and tomorrow’s — most sophisticated adversaries.
-
Lateral movement is a key tactic that distinguishes today’s advanced persistent threats (APTs) from simplistic cyberattacks of the past. Network defenders must be in habit of digging deeper into the logs & carefully examine the security EVENTS flagged by SIEM, etc.
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM