By Friedrich von Jagwitz, Sales Engineer
What is lateral movement?
Lateral movement is a tactic used by adversaries trying to move through your network. Usually, attackers use multiple techniques to search for critical assets and data. At the same time, the hacker determines the target and figures out how to access it. Most techniques to access the target rely on privileged credentials and mimicking the administrator’s daily routines to stay stealthy and undetected. It’s challenging for organizations to detect lateral movement with traditional security solutions.
How does lateral movement work?
Most attacks use social engineering for the first step of lateral movement. Spear phishing is one of the most successful attack vectors to target persons who have a profile with access to interesting data, such as c-level phishing or “Whaling,” or to control sensitive systems, such as administrators. Once the attacker has access to a machine – let’s say after a successful phishing attack – he will work with that account to use the privileges to search for relevant data, additional credentials and permissions. Then, the attacker will try to escalate the permissions of the user account to be empowered to perform more significant actions in the target environment.
Once the harvest on one system is over, he will move laterally. The attacker will try to log in to another computer with the account he first captured. If no one stops the attacker, he will have all the time in the world to search around and move between systems. Until he eventually finds sensitive data or impersonates an almighty administrator account.
Best practices to prevent a lateral movement attack
In many cases, organizations don’t fix vulnerabilities in their network for many reasons, such as high cost, resource availability and dependencies on other systems. When organizations do address the vulnerabilities, the unsecured transition to a more secure network takes time.
Despite the time and effort to address vulnerabilities, blue teamers are not out on a limb. They use many different tools to detect attacks in every phase. One of the vital security monitoring tools is a security information and event management (SIEM) system. With a SIEM, it’s easy to identify an intruder moving laterally. Because he will indispensably make noise hopping from one system to another. Once the attacker is spotted, blue teamers can stop him.
Early detection with a SIEM
SIEMs can detect the attacker when he starts using the same account on multiple computers. Usually, actual users work from one single computer. LogPoint SIEM identifies the attacker using the simple pattern:
[ label=Login label=successful workstation = * | chart count() by workstation, user ] as s1 join [label=Login workstation=* label=Successful | chart count() by workstation, user ] as s2 on s1.user=s2.user | process compare(s1.workstation,s2.workstation) as match | filter match = false | chart count() by s1.user,s1.workstation,s2.workstation,match
Share attack insights
With a painless way to detect the attacker, organizations know as soon as there is an account performing suspicious activities. Most SIEMs have powerful visualization options, so blue teams can share insights within the team.
Detect unusual behavior with UEBA
Behavioral analytics, such as UEBA, can also detect anomalous behavior in the network without rules or manual setup. User and entity behavior analytics (UEBA) use advanced machine learning to detect when users are behaving strangely. UEBA sends automatic notifications when users do something outside their usual behavior. This way organizations know when they need further forensic investigation.
An example of how UEBA can help detect lateral movement is multiple attempts to log into different accounts in short succession and/or from devices that are not typically associated with those accounts. UEBA shines in this type of scenario as these are some of the most basic anomalies it can detect. Obviously, organizations can use queries to detect multiple login attempts, but that requires a somewhat more laborious approach.
Log aggregation and visualization
Overall, network-spanning solutions, even the most basic log aggregation and visualization, can be invaluable to detect lateral movement. These solutions provide quick notice of the type of unusual activity that coincides with lateral movement Especially if the attacker is using automated methods.
Monitoring is key to stop lateral movement
Other security best practices still stand of course. Especially important is the principle of least privilege and various authentication-related mechanisms, such as two-factor authentication and password requirements. However, defending against lateral movement is not complete without monitoring capabilities.
Detection is one step away from reaction. Only with knowledge about what is going on in your network can you stop the attacker and protect your business from data loss and privacy violations.
The challenge of defending your network
In the early days of networking, many people put a lot of effort and time into inventing new functionality and making what seemed impossible – possible. When Ray Tomlinson sent his first email (“QWERTYUIOP”) in 1971, his only concern was to check whether it was properly sent and received. Not even 20 years later, in 1988, the “Morris” worm showed the vulnerabilities of computer networks and the U.S. Government Accountability Office put the cost of the damage at $100,000 – 10,000,000 USD. In 1991 Microsoft came up with their vision of “a personal computer on every desk and in every home” and companies of every size started working with computers and building their networks.
Back then, the demand for IT experts was higher than the actual number of qualified specialists. The lack of IT expertise led to millions of unsecured, misconfigured and highly vulnerable IT environments. Many unsecured environments are up and running today, representing a big and expensive risk for organizations.
A digital playground
There is no reason to detail how and when the first hackers came onto the digital playground and found the millions of vulnerable networks as a virtual invitation to take action. However, the hackers motivated organizations to think about network defense. The famous Kill Chain from Lockheed Martin and later the industry standard MITRE ATT&CK framework help Blue Teams structure the evidence obtained during defensive activities. An attacker has to do the groundwork before he can get what he is after.
By far, most networks use Microsoft’s technologies, such as Active Directory (AD) for authentication and authorization and Windows servers and clients. Some networks even have Windows NT nearly two decades after support ended. Windows computers as part of an AD domain in a basic, non-hardened configuration living in flat, non-segmented networks allow attackers to quickly move from one system to another. Prowling in foreign networks, attackers harvest credentials and data, sometimes taking control over entire networks.