Lateral movement is often mentioned in write-ups of multi-stage cyber-attacks. But what is it? Otherwise known as MITRE ATT&CK®’s Tactic TA0008, lateral movement is used by adversaries to navigate their way through a victim’s network. Typically, they’ll exploit vulnerabilities and escalate privileges to enter and control remote systems on that network. Let’s take a look at the tactic in more detail.
From access to breach
To achieve initial access, the attacker will have exploited a vulnerability, potentially in a public-facing application, or triggered a malware download via a phishing attack. Sometimes this is done directly, but it could also be achieved by targeting a supply chain partner. The malware delivered to a victim’s device will be programmed to take steps to avoid detection by its hosts’ security tools. At the same time, it will move through the network searching for and accessing any data that is of value to the adversary. Avoiding detection, finding data and gaining access all require a certain amount of understanding of the targeted system, and it is here that lateral movement techniques come in.
The risk, and the reason why it is so important to be able to detect lateral movement, is that these techniques will likely be deployed by an adversary prior to a successful data breach. These are a major concern for small business leaders—and no wonder, with regulatory fines of up to €20 million or 4% of global annual turnover promised for serious infractions of the GDPR.
How do they do it?
After gaining their initial foothold, an attacker will scan the network, looking for devices or machines with vulnerabilities that will allow them to move laterally between machines. This could involve an adversary taking advantage of a programming error in a piece of software to execute malicious code. Alternatively they could exploit a Server Message Block (SMB) vulnerability to achieve the same privileges as the account running the server, and use these to install programs or delete data. The attacker may also use stolen credentials or set up their own user accounts—also possible through the manipulation of SMB vulnerabilities—to facilitate lateral movement while masking their presence as legitimate network traffic.
While negotiating their way through a network, the adversary aims to escalate their access rights on a network in order to reach their target. They’ll use different techniques to infect accounts, files and devices as they move through the system. One of these is technique T1021, or Remote Services. An attacker may use stolen access credentials for Valid Accounts to access services that enable remote access. Alternatively, by obtaining a set of valid domain credentials, they could log-in to multiple machines across a network, exploiting the centralised identity management and network-wide access that these enable. When an adversary successfully compromises an environment, they are also able to perform Lateral Tool Transfers (T1570), transferring malicious tools or files between systems throughout the course of their attack to advance their goals.
How to spot lateral movement
There are a number of indicators that an attacker is attempting lateral movement on your network, including suspicious user/device activity, and unusual network activity or traffic. Suspicious user activity indicators could be a user or machine on a network accessing assets atypically. That may be either because this machine has never accessed these assets before, user credentials are being used in an unusual part of your network or credentials or hashes are being used on multiple machines.
So how do you stop lateral movement? One of the easiest ways is to enforce two-factor authentication (2FA) across your network, meaning that even if an attacker is able to steal passwords, they can’t hijack accounts. For more tips, Microsoft has also documented some known instances and further mitigations.