The birth of expansive enterprise networks that play host to hundreds of different business applications and systems has given rise to a phenomenon known as “lateral movement.” But what is lateral movement?
It describes the process through which attackers attempt to explore a targeted network, probing for weaknesses, escalating their access privileges and looking for valuable resources they might breach, such as valuable customer information that they might steal.
Lateral movement attacks are named as such because the attacker moves sideways across the network, from device to application and so on. However, while they’re moving sideways looking for chinks in the network’s armor, the ultimate goal is to move deeper in terms of access to crucial systems and data.
These days, large companies manage sprawling computer networks that span multiple locations, users, devices and applications. The network grows as the business grows, and as it gets bigger, it creates a much larger attack surface.
Hackers generally begin their attacks by looking for a way inside the network. Common techniques include using malware or phishing to steal an employee’s login credentials using Windows drivers or remote desktop platforms. Once inside, they then move laterally using a variety of techniques, exploring different applications and systems to discover targets of value.
For security teams, it’s not enough to know what lateral movement is all about. More importantly, you need to be able to identify lateral movement as it’s happening, so you can stop the attackers in their tracks.
Signs Lateral Movement Might Be in Progress
Detecting lateral movement is essential because most attackers move quite rapidly once they have found a way inside a new network. One recent study revealed that the average time it takes for a malicious actor to start moving laterally is just 92 minutes.
That’s blazingly fast, especially when you consider that the average phishing attack takes 213 days to detect, followed by another 80 days before it can be contained.
Unless you possess psychic abilities to know what is lateral movement and what isn’t, it’s likely that most attacks will go undetected for some time. That’s because the attacker appears to be a legitimate user, throwing off the more advanced network monitoring tools.
So how can you identify lateral movement? Fortunately, the methods used by hackers are not entirely foolproof, giving proactive security teams the opportunity to detect signs of suspicious network activity that might indicate lateral movement in progress.
1. Login Anomalies
One of the most obvious signs of lateral movement is a user who suddenly deviates from the norm, logging in at unusual times of the day. Most employees follow regular patterns according to their work schedule, so if a user starts logging in regularly at alternative hours it warrants further inspection.
Other signs include multiple logins of a single device on different systems, which suggests someone is using lateral movement to scout the network.
2. Unusual Activity
Another sign of possible lateral movement is when a user’s activity changes. If a team member who regularly logs in from New York suddenly starts logging in from Moscow on a regular basis, that’s a huge red flag right there, indicating their account may have been compromised.
Other signs include users accessing systems and applications that they don’t normally use, or going through files and folders they normally don’t interact with.
3. Exceptional Network Use
Cybercriminals will often use native tools to try and avoid detection as they move laterally across a network, but doing so can generate anomalies in the network’s activity that can be detected by monitoring tools. In such cases, further investigation is recommended.
4. Irregular Administrative Actions
If an attacker succeeds in escalating their privileges to give themselves administrative access, this can often be detected.
For instance, if a user gains more privileges and begins testing access to different servers that contain sensitive information, that is another sign that warrants closer investigation. Or if the same user grants administrative privileges to multiple users, that may also be suspicious.
5. Irregular File-Sharing Patterns
Security teams can closely monitor file-sharing activity to identify lateral movement. As the attacker moves through the network, they will often try to share access to alternative user accounts they have either compromised or created.
They do this in order to mask their lateral movements, but these discrepancies in file-sharing activity can become a giveaway themselves if your security team is on the ball.
6. Unknown Devices Accessing Sensitive Data
Many companies support “bring your own device” policies that allow employees to purchase and use their own personal devices to access company apps, so unknown devices are not uncommon.
But even though they pop up fairly frequently, security teams should pay attention to these unknown devices and look for anomalies in their behavior. If their activity is somewhat unusual, it could be a sign of lateral movement.
For example, a user who regularly logs into the organization’s accounting system is unlikely to also need to access its customer relationship management platform regularly. If an unknown device is doing this, it’s a strong hint at the possibility of lateral movement.
7. Port Scans
Cybercriminals will often use port scans to conduct network reconnaissance. Port scans can help attackers identify open ports and find out whether they’re being used to send or receive data. Additionally, they can also reveal the nature of security tools used by the network, such as application firewalls.
Fortunately, most modern intrusion detection systems can detect port scans. Network engineers sometimes use port scanning tools for legitimate reasons, so communication between teams is required to identify those that are illegitimate.
8. Lack of Encryption
By analyzing network ports, security teams can identify if any data passed between two open ports, or from an open port to a user device, was encrypted or not.
Encryption has become standard for sensitive data, so if critical information is being sent across the network without it, it’s reasonable to conclude someone might be up to no good.
Halting Lateral Movement in Its Tracks
Besides these signs of lateral movement, security teams can make use of network reporting tools to automatically identify suspicious activity.
In addition, teams can employ a proactive approach that involves the least privilege principle, multifactor authentication methods for logins and automated endpoint monitoring.
Teams should also regularly investigate user identities and permissions in order to determine who their legitimate network users are, and what they’re supposed to be doing. In this way, it becomes easier to identify users who are doing something they shouldn’t.
In addition, it can be helpful to map out likely lateral movement paths. Here, the idea is to identify possible LMPs within the network, and then investigate them for vulnerable connections between systems, devices and data. It may not be possible to fully block the LMP, but steps can be taken to secure these connections.
Conclusion
Lateral movement is a common tactic used by cybercriminals to gain access to valuable data. Although it can be hard to detect, security teams can improve their odds by knowing what to look for.
Besides regularly monitoring for indications of lateral movement, teams can take proactive steps to make life much harder for those attempting to infiltrate their systems.
