Lateral movement is the term that describes the post-compromise stage in cyberattacks in which the attacker expands his footprint in the targeted environment from the initial patient-zero machines to other workstations and servers.
Lateral movement is paramount for achieving the attack’s objective, be it data theft, mass encryption of machines, or any other. The means by which lateral movement takes place are compromised user credentials. These credentials are other purchased in advance or obtained from compromised endpoints during the attack. Typically, lateral movement takes place in the on-prem Active Directory environment, taking advantage of its lack of real-time detection and prevention of malicious authentications.
Why is Lateral Movement an Identity Threat?
Lateral movement is powered by compromised credentials. In an enterprise environment, the only way to access workstations and servers is by providing valid user credentials. While there are various means to do that – ranging from simply inserting a cleartext username and password, to forging a Kerberos ticket from a compromised hash – the essence is still the same. In other words, lateral movement is the purpose while malicious authentication is the mean.
How is a Lateral Movement Attack Carried Out?
Lateral movement is executed through any of the standard remote access methods in a domain network. These tools that were built to enable helpdesk personnel to troubleshoot remote machines provide seamlessly seamless access to threat actors that do the same for malicious purposes.
Most prominent of which are:
- Remote Desktop Protocol (RDP) – This tool opens a window of the destination machine’s UI, providing easy access to files, folders, and installed software.
- CMD – there are various CMD tools for remote access, with PsExec the most prevalent of them, opening a command line window to the destination machine.
- PowerShell – similar to CMD, PowerShell also provides various remote access utilities, with Enter-PSSession as the most commonly used one.
Why is Lateral Movement a Blind Spot for Security Products?
There are two main challenges security products encounter in the attempt to protect against lateral movement attacks:
- Detection: because lateral movement employs valid credentials and legitimate remote access tools it’s extremely hard for security products to differentiate between a legitimate authentication and a malicious one, resulting in a large volume of false positives.
- Prevention: Active Directory (AD), the standard identity provider in the on-prem environment cannot incorporate risk analysis and detection in its authentication flow, so there is no way to block malicious authentication from taking place.
What makes Lateral Movement a Critical Issue for Every Company?
While in the past, the lateral movement was employed only in high-end APT campaigns, today it is an integral part of more than 80% of ransomware attacks. Threat actors have realized that lateral movement can enable them to encrypt a mass volume of machines at once by gaining domain dominance and executing the ransomware payload in a shared network folder.
This is far more cost-effective than sending weaponized emails to each machine in the organization separately and encrypting them one by one. This, practically, makes every organization a potential target. Learn how Silverfort solves this problem.
What is lateral movement?
Lateral movement refers to the process of an attacker moving laterally through the network after gaining initial access, in order to gain access to more resources and sensitive information. This movement is often achieved by stealing credentials or using other techniques to impersonate legitimate users.
Once an attacker has gained initial access to a network, they may use a variety of techniques to move laterally through the network, such as:
- Stealing credentials: Attackers may use malware or phishing attacks to steal user credentials, such as usernames and passwords, which can then be used to access other resources on the network.
- Impersonating users: Attackers may use stolen credentials or other techniques to impersonate legitimate users and gain access to additional resources on the network.
- Exploiting vulnerabilities: Attackers may use known vulnerabilities in network devices or software to gain access to additional resources on the network.
- Network reconnaissance: Attackers use tools and techniques to gather information about the network such as open ports, services running, and active users, in order to move laterally through the network.
The goal of lateral movement is to gain access to sensitive information and resources, such as financial data, intellectual property, or personal information, or to gain control over the network to launch further attacks.
What is an example of lateral movement?
An example of lateral movement in a network is when an attacker gains access to one system or account and then uses that access to move across the network to other systems or accounts, potentially escalating their privilege level and gaining access to sensitive information. This can be done by either logging in directly with a compromised username and password , or by employing alternate protocol techniques such pass-the-hash, pass-the-ticket, silver ticket and others.
Why would an attacker want to perform lateral movement?
An attacker may want to perform lateral movement in a network for several reasons:
- Escalation of privilege: An attacker may start with access to a low-privilege account or system, but by moving laterally they can gain access to higher-privilege accounts or systems that provide access to sensitive information or functionality.
- Persistence: By moving laterally, an attacker can establish a foothold on multiple systems, making it harder for defenders to detect and remove the attacker from the network.
- Data exfiltration: Lateral movement can allow an attacker to move closer to their ultimate goal of exfiltrating sensitive data from the network.
- Access to additional resources: By moving laterally, an attacker can gain access to additional resources, such as servers or databases, that can be used to further their objectives.
Overall, lateral movement allows an attacker to gain a deeper level of access to the network and expands the scope of the attack.
Silverfort: Your One-Stop MFA Solution for Cyber Insurance Compliance
Re-Evaluate Your MFA Protection – eBook
When Alerts Overwhelm: Combatting MFA Fatigue