Lateral movement can quickly take a breach from bad to catastrophic. A sophisticated and prevalent attack technique, lateral movement is an advanced persistent threat (APT) that can be difficult to detect and combat. <\/p>\n\n\n\n
Unfortunately, preventative security isn\u2019t enough to keep lateral movement attacks at bay. In today\u2019s treacherous cybersecurity climate, experts advise us to think of attacks as inevitable: plan for when<\/em> they occur rather than if<\/em>. It\u2019s critical that organizations develop measures to both prevent lateral movement attacks and<\/em> mitigate them when they occur to minimize damage.<\/p>\n\n\n\n To help organizations understand how to approach lateral movement, this blog covers the basics of lateral movement as well as top detection, prevention, and mitigation methods. <\/p>\n\n\n\n Lateral movement is the access of additional resources or elements in an organization’s infrastructure after initial entry. Often, lateral movement involves gathering elevated credentials and permissions to access more critical and sensitive data. It\u2019s one of the top ways cybercriminals maximize damage during an attack.<\/p>\n\n\n\n As CrowdStrike<\/a> puts it, \u201clateral movement is a key tactic that distinguishes today\u2019s advanced persistent threats (APTs)<\/a> from simplistic cyberattacks of the past.\u201d APTs are sophisticated and stealthy attacks that gain prolonged access to a network, facilitating reconnaissance, strategic attack planning, and critical data compromise. <\/p>\n\n\n\n Lateral movement starts with initial access to an account, network, or resource, and escalates as the attacker leverages that access to move through the infrastructure. Typically, lateral movement attackers carve themselves a path to the most critical data by breaking through security layers and gathering additional privileges. Often, they hold this data for ransom in ransomware attacks, which are growing in popularity<\/a> and considered a top security threat<\/a>. <\/p>\n\n\n\n While there is no one way for lateral movement attacks to unfold, they typically follow certain patterns and go through some of the same key steps. The following are some of the most common tactics and steps in a typical lateral movement attack. <\/p>\n\n\n\n Lateral movement requires initial access to the network or infrastructure. Bad actors can gain this initial access through just about any weak point in the infrastructure, from an unprotected server to a vulnerable application or an employee account. Initial access doesn\u2019t always require sophisticated hacking techniques: phishing attacks<\/a>, for example, use low-tech tactics that are highly effective in tricking users into sharing account access with threat actors. <\/p>\n\n\n\n This initial resource access becomes the vehicle bad actors use to traverse the network or infrastructure. In systems where a traditional perimeter is the main barrier to entry, lateral movement can occur unhindered as soon as the actor gains access to the main network. In environments with continuous authentication, however, the access would stop there unless the bad actor is able to get through the next authentication point. <\/p>\n\n\n\n Attackers often gain access to additional resources by using a legitimate account, either infiltrating an account that already has high-level access privileges or infiltrating a standard account and adding to or escalating its privileges. To seize high-permission accounts directly, attackers may use targeted initial infiltration techniques, like whaling<\/a>. To gather or escalate privileges on a standard account, attackers often leverage network or operating system vulnerabilities. This method typically involves more reconnaissance and back-end manipulation.<\/p>\n\n\n\n Many attackers wait to strike, leveraging lateral movement for reconnaissance and attack preparation purposes. Often, this includes scouting out ways to gain administrative privileges and pathways to the most sensitive data. <\/p>\n\n\n\n After conducting reconnaissance, cybercriminals can mount a swift, coordinated attack. Usually, these attacks do the most damage to the most critical resources \u2014 and in many cases, attackers freeze these critical resources until paid a hefty ransom.<\/p>\n\n\n\n Hackers often look for credentials to steal once inside an organization\u2019s infrastructure. Often, they can find and pull many at once; some systems, for example, store clear-text passwords that hackers can immediately put to use. Credential dumping is the process of copying and exfiltrating those credentials, either to use as part of their attack (e.g., to escalate their privileges) or to sell, hold for ransom, or otherwise compromise.<\/p>\n\n\n\n Because lateral movement can masquerade as a legitimate user and move from resource to resource, it can be hard to detect. Further, movement among accounts and resources makes stopping an attack difficult: shutting down the original compromised resource wouldn\u2019t lock the attacker out of the additional resources they gained access to through lateral movement. So, how can organizations defend against lateral movement attacks?<\/p>\n\n\n\n One of the best ways to stop and minimize the damage of lateral movement is through early detection. Detecting an attacker before they can gather and elevate their access minimizes the attack\u2019s spread and makes it easier to remove them from the network.<\/p>\n\n\n\n The key to detecting lateral movement is gaining thorough understanding and visibility of your network and infrastructure with the right reporting tools. At a minimum, your reporting system should have sufficient event logging to allow security teams to follow a lateral movement attack\u2019s path; the more robust your reporting tool, the better chances you have of detecting and stopping attacks. The JumpCloud directory<\/a>, for example, consolidates the IT infrastructure in one platform and can report on everything from mobile device activity to SAML events at once. This makes it easy to view and analyze end-to-end events across users, devices, applications, networks, and more. <\/p>\n\n\n\n Ideally, reporting tools should combine with activity analysis and alerts to head off suspicious activity. Read on to learn more about detecting and mitigating lateral movement with behavior analysis and threat hunting. <\/p>\n\n\n\n Telemetry can be enhanced with behavior analysis for better lateral movement detection and prevention. Examples of detectable behaviors that might indicate a lateral movement attack include: <\/p>\n\n\n\n IT teams should have a reporting tool that grants them the visibility to detect suspicious activity. In addition, some behavior analysis tools can alert and react to suspicious activity in real time. For example, a solution could alert the security team and immediately suspend an account that gained unexpected admin access. <\/p>\n\n\n\n Unfortunately, automated behavior analysis isn\u2019t always accurate, and frequent false positives in alert systems generate alert fatigue: it\u2019s not uncommon for legitimate alerts to be dismissed as false alarms. Thus, automated alert systems are more secure when supplemented with proactive threat hunting.<\/p>\n\n\n\n Proactive threat hunting draws on machine learning, research, and intelligence around emerging threats, and close study of the organization\u2019s environment to form and test hypotheses around the most likely and dangerous threats to an environment. Proactive threat hunting is generally much more nuanced and accurate than computer-driven behavior analysis; while usually more costly, it can provide significant security benefits to an organization. <\/p>\n\n\n\n Lateral movement is particularly dangerous for businesses that rely on perimeter security, where rings of security \u2014 like a firewall-based perimeter \u2014 protect the central network. Perimeter security is like locking the front door to a single-family home: it creates a barrier to entry, but if someone were to find a way in (either by finding a key or breaking in), they would be able to move unhindered from room to room. The initial entry would grant them access to everything inside the house. <\/p>\n\n\n\n Now compare that to an apartment building. Apartment buildings can\u2019t afford to risk allowing one lock to grant access to every unit; instead, they protect their outer perimeter with lock and key, and then lock the individual units inside that perimeter. This way, even if someone gained access to the outer building door, they wouldn\u2019t be able to enter any units. And even if a burglar did <\/em>happen to stumble upon a keyring with a key to the outer door and a unit door, they could gain access to that unit, but every other unit would remain secure. The potential for lateral movement is significantly lower. <\/p>\n\n\n\n Zero Trust security<\/a> does essentially this: it locks every resource rather than just locking the \u201cfront door.\u201d Zero Trust\u2019s mantra is \u201cnever trust, always verify\u201d: instead of accepting initial network authentication as enough to grant full access to the organization\u2019s resources, Zero Trust prescribes the principle of least privilege and secure authentication everywhere. This prevents lateral movement and mitigates its spread, minimizing the chances of data compromise and reducing damage in the event of a breach. <\/p>\n\n\n\n The following Zero Trust implementations help minimize lateral movement: <\/p>\n\n\n\n Multi-factor authentication (MFA)<\/a> significantly improves authentication security from the traditional username\/password method. Passwords are notoriously susceptible to compromise; MFA, on the other hand, requires authentication factors that are much harder to fake, guess, or crack, like timely access to a user\u2019s personal smartphone. This improved security makes it a critical element of a Zero Trust architecture. <\/p>\n\n\n\n When implemented throughout a network, MFA significantly restricts lateral movement. Instead of allowing one set of credentials to gain access to all the resources a user is assigned, MFA requires continuous authentication. In the spirit of Zero Trust\u2019s mantra of assuming users are untrusted until validated, MFA everywhere forces a user to prove their identity at every new resource access attempt. This way, even if a bad actor gained access to one account, they wouldn\u2019t necessarily be able to access anything else with it. <\/p>\n\n\n\n Microsegmentation<\/a> separates networks, cloud environments, or data centers into discrete units without pathways from one to another. Different microsegments can be configured to strategically host different resources; for example, an organization could create a high-privilege microsegment that houses high-security items, which could never be accessed through the main network. For even better security, the organization could then further divide its high-security microsegment to prevent lateral movement from one high-priority resource to another. <\/p>\n\n\n\n Insights into network traffic and activity \u2014 especially when coupled with security solutions like security information and event management (SIEM) and proactive threat hunting \u2014 can prevent lateral movement by catching suspicious activity in real time. The faster security teams become aware of a possible breach, the better chance they have of shutting it down before it spreads through lateral movement.<\/p>\n\n\n\n The principle of least privilege prescribes that users should only<\/em> be given access to what they need to do their work. The more privileges a user has, the more of a liability their account is. Keeping access permissions restricted by need reduces the amount of lateral movement a threat actor can accomplish from any one account. <\/p>\n\n\n\n Conditional access<\/a> can either relax or heighten authentication requirements based on the conditions of a login. An IT administrator could set up conditional access policies to require MFA or deny access altogether if the conditions of a login are unexpected or questionable. This helps automate lateral movement mitigation by increasing authentication requirements in suspicious conditions. <\/p>\n\n\n\n Universal directories can combine the above functions for an ecosystem that works seamlessly through smooth, native integrations and clear reporting. JumpCloud, for example, combines identity and access management<\/a> (IAM), mobile device management<\/a> (MDM), MFA, conditional access, system and directory insights<\/a>, and more into one platform, keeping everything visible and reporting to the same source of truth. This clarity makes lateral movement easier to detect, and the combination of security measures like MFA and conditional access policies combat lateral movement.<\/p>\n\n\n\n Zero Trust architecture effectively prevents and mitigates lateral movement with continuous safeguards. It\u2019s an organization\u2019s best bet for preventing and mitigating lateral movement attacks, and many organizations are making the switch from perimeter security to Zero Trust. <\/p>\n\n\n\nWhat Is Lateral Movement?<\/strong><\/h2>\n\n\n\n
How Does Lateral Movement Work? <\/strong><\/h2>\n\n\n\n
Network or Infrastructure Access<\/h4>\n\n\n\n
Privilege Gathering and Escalation<\/h4>\n\n\n\n
Reconnaissance <\/h4>\n\n\n\n
Credential Dumping<\/h4>\n\n\n\n
How to Detect Lateral Movement<\/strong><\/h2>\n\n\n\n
Robust Reporting <\/h3>\n\n\n\n
Behavior Analysis<\/h3>\n\n\n\n
Proactive Threat Hunting <\/h3>\n\n\n\n
Prevent and Mitigate Lateral Movement by Implementing Zero Trust<\/strong><\/h2>\n\n\n\n
Multi-Factor Authentication <\/h3>\n\n\n\n
Microsegmentation<\/h3>\n\n\n\n
System Insights <\/h3>\n\n\n\n
Least Privilege Access<\/h3>\n\n\n\n
Conditional Access<\/h3>\n\n\n\n
Universal Directory<\/h3>\n\n\n\n
Dive Deeper Into Zero Trust<\/strong><\/h2>\n\n\n\n