Lateral Movement: What It Is and How to Block It
In any given attack campaign, bad actors have a specific goal in mind. This goal could involve accessing a developer’s machine and stealing a project’s source code, sifting through a particular executive’s emails, or exfiltrating customer data from a server that’s responsible for hosting payment card information. All they need to do is compromise the system that has what they want. It’s just that easy.
Or is it?
Actually, it’s a little more complicated than that. When attackers compromise an asset in a network, that device usually is not their ultimate destination. To accomplish their goal, bad actors are likely to break into a low-level web server, email account, employee device, or some other starting location. They’ll then move laterally from this initial compromise to reach their intended target. The initial compromise seldom causes severe damage. So, if security teams can detect the lateral movement before the attackers reach their intended targets, they can prevent the data breach.
But what is lateral movement, and how does it work? In this blog, we’ll look at some of the most common types of lateral movement and identify ways by which we can detect and defend against this step in a digital attack chain. Let’s get started by providing a definition of lateral movement.
Understanding Lateral Movement
Lateral movement is when an attacker gets hold of one asset within a network and then spreads their reach from that device to others within the same network. Let me draw you a picture to help clarify what’s going on here. In any network, you can represent the perimeter with a horizontal line. The top half represents what’s outside the network, while what lies below the line represents what’s inside. For an attacker to get inside the network, they must move vertically, that is, from outside to inside (sometimes called North-South traffic). But once they’ve established a foothold, they can then move laterally (or horizontally) within the network to reach their objective (sometimes called East-West traffic).
Overall, there are two common ways by which a threat actor moves laterally. In the first approach, the attacker uses what’s known as internal scanning to find out what other machines are inside the network. Specifically, they scan for open ports that are listening and machines that are suffering from (often known) vulnerabilities. At that point, the attacker can abuse these weaknesses to move laterally to another asset.
The second means of lateral movement exploits stolen credentials, and it is more common. In this type of attack, the bad actor might use a phishing email to infect a machine that interfaces with a particular server. The attacker can use his access to scrape for passwords via a keylogger or password-stealing tools like Mimikaz. Next, they can use whatever credentials they were able to obtain to impersonate the victimized user and log into another machine. Once they’ve established access on that computer, they can then repeat their tactic by looking for additional shares, credentials and/or privileges that they can exploit and, in turn, use along the path towards establishing a remote connection to their target device.
Defending against Lateral Movement
It’s worth saying that lateral movement often manifests as anomalous network activity. It’s suspicious, for example, when a machine that talks regularly with only a select few computers begins scanning the entire network. The same is true if that machine attempts to connect to open ports, interact with credential services with which it doesn’t ordinarily maintain contact, or employ a username it’s never used before. The list goes on and on. What matters is that the computer is doing something out of the ordinary without proper authorization from IT.
This is what gives organizations a chance to detect lateral movement. They can turn to Active Directory, for example, and analyze the log files for suspicious connections. Alternatively, they can use an endpoint detection and response (EDR) tool to detect if someone launches malicious code on a protected IT asset.
But these defenses aren’t foolproof. Security teams who rely on logs limit the scope of their defensive posture, for example, because logs are limited to particular apps and a small number of scenarios. Infosec professionals might decide to monitor Active Directory for credential theft, but digital attackers might not leverage this directory service to move laterally. This means that any and all malicious actions that don’t use Active Directory will go undetected. Beyond that, bad actors know the types of protocols that security personnel tend to monitor. They can use this knowledge to mold their attack campaigns so that they stand a better chance of flying under the radar.
Security professionals also can’t rely on EDR tools to fully protect their organization against attacks that involve lateral movement. An EDR solution is only good as the endpoint upon which it’s installed. Now, what would happen if a bad actor installed malicious code on the endpoint upon which the EDR software is running? Well, bad actors could turn off logging so that the EDR solution can’t see what they’re up to.
The Lastline Advantage
It’s simply not enough for organizations to look for lateral movement using logs or an EDR tool. Instead, they need to turn their attention to the network. Doing so will allow organizations to see all network traffic, establish a baseline of normal network activity for each user and device, and monitor for unusual actions that could be indicative of malicious lateral movement. Known as anomaly detection, this task is more comprehensive and often easier than instrumenting every service and examining every log file for anomalies.
The problem with anomaly detection is that many of these irregularities are benign. What’s needed to separate malicious lateral movement from benign network anomalies is an understanding of what malicious behavior looks like. That’s where Lastline comes in. Lastline understands threats and knows how malicious behavior looks, both on the host and in the network. Our automated analysis systems detonate and monitor millions of threats every day. Using that threat behavior information, our machine learning system can automatically build powerful classifiers that identify, with very high accuracy, those network anomalies that exhibit malicious behaviors, leaving behind benign network anomalies that otherwise generate false positives.
Latest posts by Dr. Christopher Kruegel (see all)
- Lateral Movement: What It Is and How to Block It - June 20, 2019
- Effective Security Alert Triage - August 23, 2018
- Impact of False Positives on Breach Detection System Accuracy - July 3, 2018