In the early days of hacking, cyber attackers conducted smash-and-grab campaigns with the goal of getting as much data as possible in one strike.
Today, malicious actors are much more methodical, especially given how valuable digital assets are. Attackers study and profile their victims, determining which vulnerabilities they can penetrate covertly. Once inside a victim's device or system, attackers often hide out for a while to uncover ways to further their attacks to other areas in the network and reach other hosts, devices or applications.
This type of attack is known as a lateral movement attack. Let's look at how these attacks work and the different lateral movement techniques attackers use.
What is lateral movement?
Lateral movement occurs after attackers successfully compromise an environment and move deeper into the network or system. In most instances, attackers are looking for employee credentials. They try to escalate their privileges using administrative accounts, such as IT managers and network and systems administrators, to access more sensitive assets.
Once they find valuable data or assets, attackers slowly move that data to their own environments. The whole process could take a week or longer. The goal is to remain undetected until it is too late for the victim to react. Ideally, by the time a breach has been detected, the cyber attacker is completely out of the system.
How attackers conduct lateral movement
Malicious actors plan their attacks during what is known as the reconnaissance phase. They scan their victims' network infrastructure to learn about hierarchies, OSes, devices and sensitive data.
To do this, attackers use a number of tools, including the following:
- Netstat. This tool displays a device's network connections at a current point in time, giving attackers information about how things interconnect in a network.
- Ipconfig and ifconfig. These commands enable attackers to access various network configurations.
- Address Resolution Protocol cache. This table contains valuable data about IP addresses and their correlating media access control addresses.
- PowerShell. This scripting language and command-line shell breaks down the network systems a user has privileged access to.
Lateral movement techniques
Once attackers complete the reconnaissance phase, they need to next access credentials or escalate privileges. Some basic lateral movement attacks use social engineering to trick users into giving up their credentials. Four common lateral movement techniques are the following:
- Keyloggers. These programs, which can be deployed from a phishing email via a malicious link or infected file, record every keystroke a legitimate user makes and send that information to the attacker.
- Mimikatz. This open source tool enables attackers to access plaintext passwords, PINs, tickets and hashes in a system's memory.
- Pass the ticket. After using a tool such as Mimikatz to extract Kerberos authentication tickets, attackers can authenticate without a user's password. In a pass-the-ticket attack, malicious actors create or intercept and reuse Kerberos tickets to impersonate a legitimate user.
- Pass the hash. In a pass-the-hash attack, malicious actors capture an authenticated hash of a password and use it to log in to local and remote devices, as well as VMs -- all without decrypting the hash. After logging in, attackers can attempt lateral movement.
How to prevent lateral movement attacks
Discovering lateral movement attacks are difficult because attackers act as covertly as possible. It can take months to detect unusual movement or activities. Therefore, prevention is the best bet. Three ways to mitigate the risk of a lateral attacks are the following:
- Use microsegmentation to isolate data and workloads from each other and limit east-west traffic. This makes it difficult for attackers to move freely throughout a system.
- Protect and fortify endpoints. Endpoints are the points of origination and termination for any network lines of communications. Use endpoint security platforms to detect suspicious entry and exit behavior and stay up to date with patching and log network activity of devices connecting to internal systems.
- Conduct penetration testing and threat hunting exercises regularly -- at least once a quarter. This is the best way to detect cyber attackers lurking in your IT and network infrastructure.