Lateral movement is the term that describes the post-compromise stage in cyberattacks in which the attacker expands his footprint in the targeted environment from the initial patient-zero machines to other workstations and servers.
Lateral movement is paramount for achieving the attack’s objective, be it data theft, mass encryption of machines, or any other. The means by which lateral movement takes place are compromised user credentials. These credentials are other purchased in advance or obtained from compromised endpoints during the attack. Typically, lateral movement takes place in the on-prem Active Directory environment, taking advantage of its lack of real-time detection and prevention of malicious authentications.
Lateral movement is powered by compromised credentials. In an enterprise environment, the only way to access workstations and servers is by providing valid user credentials. While there are various means to do that – ranging from simply inserting a cleartext username and password, to forging a Kerberos ticket from a compromised hash – the essence is still the same. In other words, lateral movement is the purpose while malicious authentication is the mean.
Lateral movement is executed through any of the standard remote access methods in a domain network. These tools that were built to enable helpdesk personnel to troubleshoot remote machines provide seamlessly seamless access to threat actors that do the same for malicious purposes.
Most prominent of which are:
There are two main challenges security products encounter in the attempt to protect against lateral movement attacks:
While in the past, the lateral movement was employed only in high-end APT campaigns, today it is an integral part of more than 80% of ransomware attacks. Threat actors have realized that lateral movement can enable them to encrypt a mass volume of machines at once by gaining domain dominance and executing the ransomware payload in a shared network folder.
This is far more cost-effective than sending weaponized emails to each machine in the organization separately and encrypting them one by one. This, practically, makes every organization a potential target. Learn how Silverfort solves this problem.
Lateral movement refers to the process of an attacker moving laterally through the network after gaining initial access, in order to gain access to more resources and sensitive information. This movement is often achieved by stealing credentials or using other techniques to impersonate legitimate users.
Once an attacker has gained initial access to a network, they may use a variety of techniques to move laterally through the network, such as:
The goal of lateral movement is to gain access to sensitive information and resources, such as financial data, intellectual property, or personal information, or to gain control over the network to launch further attacks.
An example of lateral movement in a network is when an attacker gains access to one system or account and then uses that access to move across the network to other systems or accounts, potentially escalating their privilege level and gaining access to sensitive information. This can be done by either logging in directly with a compromised username and password , or by employing alternate protocol techniques such pass-the-hash, pass-the-ticket, silver ticket and others.
An attacker may want to perform lateral movement in a network for several reasons:
Overall, lateral movement allows an attacker to gain a deeper level of access to the network and expands the scope of the attack.