Blog Post

What makes lateral movement so hard to detect?

Any security analyst worth their salt knows that attackers often use a variety of tools and methods to move laterally through a network to map the system, identify targets and eventually get to the organization’s crown jewels. This type of lateral movement – moving sideways between devices and apps – can be extremely difficult to uncover. But what, exactly, makes lateral movement so hard to detect?

Well, what do you do when faced with a perplexing question like that? You poll your Twitter followers of course! And multiple challenges emerged. So, let’s dig in.

lateral movement survey results

A tie for #1

When we asked our Twitter followers what’s the #1 problem with identifying lateral movement attacks, respondents were split: 29% identified “false positives,” whereas another 29% said “legit R.A.T. usage.”

We’re not surprised to see legitimate remote access tool (R.A.T.) usage rank as a top challenge while identifying lateral movement attacks. While many R.A.T.s can be used legitimately, these tools are often designed to actively bypass network controls, obscuring which parties are communicating, when, and how. This means that security teams must detect malicious intent that blends with business-justified activity, a task that is both tedious and challenging for most analysts.

That is also why “false positives” was a popular response. In an endeavor to detect lateral movement, detection solutions open the spigot so wide that even the business-justified activity seems malicious. The false positive thus occurs when your tools identify a possible threat on a network that really isn’t a threat. That, in turn, results in “alert fatigue,” another well-known industry term synonymous with burnout. Alert fatigue is caused by thousands of such alerts coming from a variety of different platforms all with ranging levels of fidelity and correlation (or, sometimes no correlation at all).

Who has the time?

Roughly 1 in 5 (22%) of survey respondents indicate they simply don’t have the time to hunt for lateral movement attacks. Again, we aren’t surprised by this stat, given respondents to an earlier Awake survey found that:

  • 54% of respondents believe critical alerts go completely uninvestigated
  • 30% of alerts that have been prioritized never get investigated

While there is still some confusion around how to define threat hunting, most cybersecurity pros agree: it doesn’t matter what you’re calling it, just that you’re doing it. It’s also important to note that hunting should be a continuous improvement process. According to Awake’s very own Troy Kent:

  • If you discover some method that produces results, make it repeatable and add it to your normal automated detection methods.
  • If you find yourself repeating the same workflow and it produces results without a lot of false positives, then automate it if possible.

You can’t can protect what you don’t see

Rounding out our survey, 19% of respondents indicate that a lack of network visibility makes identifying lateral movement attacks difficult. Indeed, the nature of the industry is changing. As attackers grow smarter and understand typical network behavior, the approaches we’ve taken for network security no longer work.

So, while the network has historically been a valuable source of insight that enabled effective detection and response, it has become increasingly opaque as more of the data on the network is encrypted. For security teams, this means losing visibility into this powerful data source, just as attackers use techniques like encryption to evade traditional detection methods.

Knowing is half the battle when it comes to network security. When a major bulk of traffic is encrypted, we need anything we can to identify what applications might be on the network. Luckily encrypted traffic analysis can enable the use case of identifying and profiling applications.. TLS fingerprinting uses data in the TLS traffic, which isn’t encrypted, to inform security teams about what kind of application may be the source of that traffic.

Detecting lateral movement with Awake

While it’s clear there are several forces at play which make it difficult to identify lateral movement attacks, don’t lose hope yet. Awake’s real-time visibility and rapid & conclusive detection capabilities allow security teams to surface, understand and rapidly investigate potential lateral movement attacks. Still on the fence? Schedule a demo today.