An attacker has managed to breach your perimeter, unbeknownst to you and your security team. The intruder now roams the terrain of the network, hiding behind valid user credentials and legitimate admin tools as though they were tree stumps and bushes, dodging from one cover spot to another.
This is the lateral movement phase, when the attacker uses techniques to move deeper into the network in search of what he or she is ultimately after. That may be financial data, intellectual property, social security numbers, or whatever the attacker considers the “crown jewels.” And while the idea of a motivated attacker lurking in your systems may be intimidating, you can use this phase to your advantage.
According to research from Smokescreen, lateral movement is the longest phase of an attack, accounting for about 80% of an attack’s time frame. The intruder will spend weeks or even months inside the network, moving around slowly and carefully. This sheer time investment is one reason lateral movement is the phase where attackers are most vulnerable to detection. If you’re aware of what to watch for and if you have visibility over your networks, one false move and an attacker can be exposed.
The basic steps of lateral movement often follow a similar pattern. Once inside the network, the attacker usually establishes a connection to his or her command and control server. Then the attacker will begin network reconnaissance to begin mapping the layout of the network and discovering its users and devices. Tools like netstat and nmap are used for this purpose.
The next step is credential harvesting. The attacker will attempt to gather valid user credentials to be able to move from system to system. Attackers will use tools like Mimikatz or pwdump. Other methods of gathering logins include using keyloggers, protocol analyzers, brute forcing passwords or using phishing to fool people into giving up credentials. The attacker’s goal is ultimately to escalate privileges to admin, for the greatest level of access and privilege inside the network.
While performing network reconnaissance, an attacker may have discovered the organization uses outdated applications. He or she may then try another technique of lateral movement by attempting to exploit these outdated applications with available exploits. The adversary may choose to phish employees in attempts to install a remote access tool to their workstation, thereby gaining access to that employee’s available services.
According to the 2018 Verizon Data Breach Investigations Report, lateral movement is playing a greater role even in ransomware attacks. Attackers, rather than simply encrypting the first device they infect, will look to move deeper inside the network to access the most critical servers and data.
Taking advantage of this attack stage to expose and eradicate the attacker is possible with technology that offers visibility over your network as well as a good understanding of abnormal, anomalous behavior. And following practices such as network segmentation and application whitelisting, enforcing the principle of least privilege, and requiring multifactor authentication and strong passwords will make it more difficult for intruders to move around even if they’re already inside.
For a detailed example of the techniques attackers use to move laterally inside a network, check out our story of a targeted attack in the manufacturing industry, The Hunt.