Data breaches shouldn't be measured only by how attackers infiltrate a system, but also by what happens once they get inside. For attacks to ultimately be successful, attackers must be able to freely move within an IT environment to infect and control additional assets. Known as lateral movement, CISOs need to develop security strategies and processes that prevent malicious actors from moving deeper into a network and causing more harm.
What is lateral movement?
Gaining a foothold within a network is the first step in a cyber attack. The next step is for cybercriminals to extend their reach by accessing new systems and elevating privileges, which leads to more opportunities to cement their position within the network.
Lateral movement involves accessing more machines, increasing authorization by gaining additional rights using legitimate credentials and improving survivability by installing additional malicious software. It helps attackers remain invisible within the network, search for valuable assets, gain access to data and create an extraction path.
Conducting lateral movement is a trademark of modern, sophisticated malicious actors. VMware's "Global Incident Response Threat Report 2022" found that lateral movement was used in 25% of all attacks. The tactic is also one of the 14 enterprise attack tactics identified in Mitre ATT&CK Framework. Specific lateral movement techniques include remote access hijacking and the exploitation of valid accounts.
How to prevent, detect and defend against lateral movement attacks
Lateral movement attacks are difficult to detect and prevent because attackers hide behind legitimate credentials and can reside on multiple systems. Many companies have not adjusted and improved their cybersecurity practices to identify and stop these attacks. The tools and activities required to stop or at least mitigate lateral movement, however, do exist and can be incorporated into security programs.
Lateral movement issues should be addressed at strategic, operational and proactive levels.
- Assess the attack surface. Identify the potential paths attackers can take within your network by inventorying all systems and devices and how they are connected.
- Incorporate zero trust. The tenets of zero trust work well against lateral movement. Zero trust assumes your network is already breached and all identities, devices and connections are considered untrusted until specifically and repeatedly validated. Zero trust also requires network segmentation and constant network traffic monitoring.
- Use endpoint detection and response (EDR). EDR provides early warning of suspicious activity. By collecting and analyzing endpoint data about processes, connections and data transfers, EDR can identify and block system infections and provide data to help find the originating cause.
- Follow basic cyber hygiene. Accessing new systems within a network requires exploiting vulnerabilities on devices. Regularly patch and update systems to prevent potential security gaps.
- Segment the network. Segmenting a network into many small parts limits lateral movement opportunities. Segmentation also improves access management, monitoring and isolation of sensitive data.
- Implement identity access controls. The enforcement of strong access controls, including following the principle of least privilege and deploying privilege access management tools, reduces the number of permissions each person or device maintains. This limits the number of people who can access specific data, devices or systems, which also makes it easier to monitor access activities.
- Monitor with user and entity behavior analytics (UEBA). UEBA continuously monitors user behavior against a baseline of normal patterns of activities and immediately flags activities that deviate from the expected. Discovering uncharacteristic pattern deviations can alert to malicious activity and potential compromised accounts that require further investigation.
- Perform threat hunting. Proactively search your IT environment for threat activities and patterns. Threat hunters, supported with threat intelligence and risk-based data analysis, should search for indicators of compromise to uncover problems that evade all other forms of detection.