In general, defining lateral movement is simple: movement in a sideways direction. And, in cybersecurity terms, it’s a similar principle.
You see, all traffic in a network is either vertical or lateral. Vertical traffic flows into and out from your network, while lateral movement results from traffic between resources within your network.
Normal lateral network traffic happens when users connect to shared servers, or when browsers send website address resolution requests to internal DNS servers. It’s a routine part of operations.
However, lateral movement can also be malicious. This type happens when an attacker navigates between machines, searching for information worth stealing.
While lateral network traffic is normal part of operations, it’s important to know which traffic is appropriate and which is a potential threat.
Let’s break down how to spot problems and stop them before they grow worse.
How Do Attackers Perform Lateral Movement?
When attackers first breach new victims, they must explore the IT infrastructure. After all, they don’t usually know exactly what data exists, or where the most important information is stored.
So, they start poking around, using steps such as:
- So, they start poking around, using steps such as:
- Reconnaissance: Attackers inventory devices, users, and access levels. The attacker may log into other machines to see what they contain, or download tools to capture passwords.
- Vulnerability Exploitation: Attackers may seek to exploit vulnerabilities in other systems using special tools or techniques.
- Privilege Escalation: Attackers attempt to increase the privileges of current credentials to access additional systems.
- Expanding Access: Attackers attempt to compromise additional users or devices to expand access to the environment.
Additionally, there remain a few common techniques used to perform lateral network access, such as: “pass the hash”, SSH hijacking, and the exploitation of remote services.
However, in some cases, attackers have it even easier. For instance, no tools are necessary if you that leave admin passwords accessible to low-level users.
Detecting Malicious Lateral Movement in Your Network
To detect attacks and respond to incidents, you need an effective combination of real-time detection methods and investigation capabilities.
Real-time detection requires tools that send alerts, as well as a monitoring team to receive and act on those alerts.
These security tools include:
- Endpoint detection and response (EDR)
- Intrusion Detection and Intrusion Prevention Systems (IDS and IPS)
- User and entity behavior analysis (UEBA)
- Cybersecurity network monitoring tools such as:
- Extended Detection and Response (XDR)
- Security Information and Event Management (SIEM)
By default, these tools can send alerts for strange behavior and known hacking techniques. However, you can fine-tune them to best suit what your own business considers normal.
You can also create alerts for:
- Users accessing new machines (to detect exploring hackers)
- Users accessing the network from new IP addresses (to detect compromised credentials)
- Modification of user privileges
- Access to sensitive files (limited to key files to avoid too many false alarms)
- Certain types of file copy (entire directory copy, copy of sensitive data, etc.)
Some alerts can trigger automated responses. Others require expert investigation.
To ensure effective investigations, computers must generate sufficient log files and alerts to help investigators understand context and the chain of events.
At the same time, you don’t want so many alerts & false alarms that they cause fatigue, burning out your incident response teams, managed detection and response teams (MDR), or security operations centers (SOC).
Preventing Lateral Movement
So, how do you prevent lateral movement in the first place?
Step one: Prevent attacker access with:
- Email, firewall, and endpoint protection
- Comprehensive patching and updating
Step two: Limit unnecessary access for attackers and legitimate users:
- Harden internal devices and firewalls to limit ports and unnecessary services
- Identify and segregate high value, regulated, or sensitive information
- Network segmentation and isolation of high-value or unpatchable assets
- Enforce least privileged access: use ‘standard’ accounts with limited permissions
- Use context-based access: check user location or access time (most employees won’t be accessing data at 3 am from another country)
- Implement application white-lists to deny installation of hacking tools
- Continuously encrypt and protect credentials and protect password hash values
- Make privileged access both temporary and expiring
- Use multi-factor access (MFA) for high value internal assets (DNS servers, Active Directory, etc.)
Step 3: Optimize and test:
- Limit unnecessary lateral communication
- Perform vulnerability scans and penetration tests
- Search file content for plain text and hashed passwords
- Consider obfuscation and misdirection techniques
- Honeypots to attract the attention of attackers and trigger additional alerts
- Port-knocking to hide certain types of high-value resources
No matter how hard you try, it’s quite difficult to lock down networks, especially for industries that must use unpatchable devices. To compensate, you’ll want to build a team of experts.
That said, hiring experienced cybersecurity professionals can be prohibitively expensive and difficult.
However, outsourced security companies, such as Blue Bastion & our sister division, Ideal Integrations, offer access to a wide variety of experience experts and tools, at a fraction of the true cost.
Our experts understand the most effective tools, alerts, and logs to maximize detection while minimizing false alarms.
Simply contact Blue Bastion at 412-349-6680, or fill out the form below to receive a no-obligation overview of your options to catch attacks faster and limit potential damage.
And, as always, stay vigilant.