Security Experts:

Lateral Movement: When Cyber Attacks Go Sideways

Lateral Movement Gives Attackers Additional Points of Control in a Compromised Network

Finding and stopping cyber attacks has become a key priority for everyone from the C-suite all the way to the frontline security and network administrator. Organizations are learning the hard way that preventative controls will never be 100% perfect, and today’s security teams are increasingly judged on their ability to keep a network intrusion from turning into data loss.

As a result, the ability to quickly and reliably detect lateral movement in the network is one of the most important emerging skills in information security today. Lateral movement refers to the various techniques attackers use to progressively spread through a network as they search for key assets and data.

In many ways, the lateral movement attack phase represents the biggest difference between today’s strategic, targeted attacks and the simplistic smash-and-grab attacks of the past. Let’s take a deeper look at lateral movement and how to use this information in your daily security practice.

Data Center NetworkCutting through the noise

Modern networks are typically inundated with security events, and it’s easy to burn through your day chasing down policy violations, investigating anomalies, or analyzing an executable that turns out to be adware.

However, the presence of lateral movement should quickly move to the top of the priority list because it is a clear indicator of a threat that is attempting to extend its reach into the network.

In most cases, attackers must move from device to device and gain access privileges to get to the high-value data inside the network. In addition to digging deeper into the network, lateral movement gives attackers additional points of control in a compromised network.

These fallback positions allow attackers to maintain persistence if they are discovered on an initially infected machine. This makes lateral movement highly strategic to an attacker, and one of the clearest differentiators between a targeted attack and a commodity threat.

Taking the defensive high ground

While lateral movement is strategic to attackers, there are important advantages for the defenders as well. For example, lateral movement is one of the phases in which attackers do not control both ends of the connection. When attackers control both ends of a connection, such as with command-and-control or exfiltration traffic, they have an incredible amount of flexibility and ways to hide their traffic.

But lateral movement puts attackers in a more traditional position of having an attacking node and a target. This one-sided approach forces attackers to reveal themselves, and provides a great opportunity for security to detect the threat.

Of course, this requires security teams to look in the right places and for the right things. Lateral movement may involve straightforward attacks where cybercriminals scan for vulnerable hosts to exploit.

Furthermore, attackers can pivot between compromised hosts to bounce deeper into the network. This process of performing internal reconnaissance and passing payloads to successive hosts is often a clear indicator of lateral movement in the network.

The human element

When thinking of intrusions and APTs, it is easy to focus on malware. Nonetheless, as attacks become more advanced, they almost always contain a strong human element, and this is especially true in the case of lateral movement.

For all of the abuse dished out to the antivirus industry over the years, modern AV products are actually quite adept at recognizing the automated spreading of traditional malware, such as worms.

Furthermore, strategic attacks typically have a creative human at the helm of an attack to properly (and quietly) navigate the internal network to find the truly valuable data. This means attackers need real-time remote control over network devices to make lateral movement successful.

This can take the form of remote desktop tools, or the more specialized remote administration tools (RATs), that give fine-grained attack control. As a result, security professionals should keep a very close eye on the behavioral nature of their traffic.

The behavior of a external person controlling an internal is something that network traffic analysis tools can quickly recognize, and this behavior tied to any sort of internal reconnaissance or suspicious behavior should be an immediate red flag.

Additionally, lateral movement actions often eschew malware in favor of stealing or reusing a valid user’s credentials. Needless to say, impersonating a valid user gives attackers a quieter and subtler way to spread through a network than directly exploiting multiple machines.

As a result, it’s critically important for security professionals to build up the internal network intelligence that can recognize the tell-tale signs when credentials are abused or abnormally used.

Lateral movement will continue to be of strategic importance to the overall success of attacks. And as attackers get better at low-and-slow intrusions, their lateral movement skills will evolve and improve over time.

Consequently, the detection of these malicious techniques will provide highly valuable ways to identify the highest-risk threats, and create ample opportunities to disrupt attacks before assets are damaged or stolen.

view counter
Wade Williamson is Director of Product Marketing at Vectra Networks. Prior to joining Vectra, he was a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.