“Lateral movement” is a technique used by cybercriminals to systematically move through a network in search of data or assets to exfiltrate.
What is Lateral Movement?
Lateral movement is a means to an end; a technique used to identify, gain access to and exfiltrate sensitive data.
The attacker will use different tools and methods to gain higher privileges and access, allowing them to move laterally (sideways; between devices and apps) through a network to map the system, identify targets and eventually get to the organization’s crown jewels. If the attacker is able to secure administrative privileges, malicious lateral movement activities can be extremely difficult to detect, as it can appear as “normal” network traffic to security pros who don’t have the skills to differentiate or are overwhelmed by a flurry of alerts.
We live in a world that sees breaches occurring on a daily basis. As such, it’s important security teams be able to quickly and accurately detect lateral movement so they can contain malicious actors from expanding their reach within an organization.
Detecting Lateral Movement
Alert Fatigue Makes it Harder to Detect
The overabundance of security alerts and false positives are an unfortunate reality, causing overworked and undertrained analysts to become desensitized to the types of alerts triggered by lateral movement attacks, such as policy violations. These alerts can often seem small and insignificant because they’re very common and don’t necessarily indicate a breach. For instance, consider alerting on any instance of the SMB protocol on the network. This makes it easy for analysts to ignore potentially important – but often disassociated – alerts, or mark them as “not malicious” without further investigation.
Understanding Your Network Increases Visibility of Attack
Understanding network-based characteristics before a lateral movement attack can help identify one as it happens. Packet analysis tools can help identify network characteristics, which can then help security analysts answer questions about a network: which devices are communicating, how they are identified, where they are located, when real communication happens (vs. the application merely being installed on a system). It’s also important to understand the techniques attackers take to obscure their behavior and bypass common network security technologies in order to better identify lateral movement attacks.
Threat hunting is an important part of detecting lateral movement, as it empowers security analysts to proactively investigate network activity to identify anomalies other detection methods don’t catch. As mentioned above, most detection technologies avoid alerting about potential lateral movement due to the noise that can generate. Hence, threat hunting is the only effective way to differentiate true lateral movement from regular business-justified network activity.
Common Usage & Adaptation
Many cybercriminals use RATs (remote access tools) to connect to desktops remotely to gain access and initiate a lateral movement attack. Many remote access tools are used legitimately and not considered malware. However, these tools actively bypass network controls, obscuring which parties are communicating, when and how. This ability to fly under the radar is attractive to malicious insiders and outside attackers alike.
The next step in lateral movement is reconnaissance: observing, exploring and mapping the network, its users and devices. This map allows malicious actors to make informed moves, understand naming conventions and network hierarchies, and identify potential payloads.
Credentials & Privileges
In order to move through a network, cybercriminals must gather necessary login credentials. Logins can be gathered using a variety of tools, such as keyloggers and protocol analyzers. Social engineering tactics such as typosquatting and phishing attacks can also be used to trick users into sharing login credentials. Another method is a brute force attack, wherein a criminal essentially guesses a password and uses it to collect, package and steal data.
In order to mitigate lateral movement attacks, security analysts must build internal network intelligence to know which users and devices are on a network and typical login patterns to indicate when credential abuse is taking place.
Once a criminal has mapped a network and has a range of passwords and privileges, they can fully infiltrate and move through the network. At this stage, sophisticated detection logic (based on the behaviors commonly seen in the environment, as well as more generic detection of specific protocols, for instance, Kerberos errors) is required to discover threats that can easily slide by under the radar.
Detecting Lateral Movement with Awake
Awake offers exhaustive network intelligence capabilities, which discover and track traditional endpoints, as well as unmanaged IoT, BYOD, contractors and other devices, even as they move across IP addresses. Many of these devices are simply invisible to log- or agent-based security products. Awake allows the security team to surface threats to and from all these devices and rapidly investigate potential threats.
Rapid and Conclusive Detection
Identifying lateral movement has been a laborious and error-prone exercise for security teams as they attempt to gather context and correlate often with primitive data like an IP address. Awake provides a deep understanding of the device or user’s attributes, activities, and role. This capability can be used to identify anomalous login and connection patterns and privilege escalation.