What does lateral movement (cybersecurity attack) mean?
Lateral movement is a technique that cyber attackers use to stealthily explore a target network or cloud environment, discover its vulnerabilities, and elevate access privileges to reach their target. The goal of malicious lateral movement is to gain access to the target, explore as much of the target as the attacker’s access credentials allow, and search for other vulnerabilities that can be exploited to elevate the privileges. Typically, a malicious actor is looking for a misconfigured device, vulnerable software application, or access credential that may be compromised.
Lateral movement plays a significant role in security breaches, including Advanced Persistent Threats (APTs). In this type of prolonged attack, the perpetrator remains hidden inside the target for a long period of time, patiently waiting for the right opportunity to escalate the attack. Network security and monitoring tools do not issue alerts when authenticated entities move laterally across a network or cloud environment because this type of movement appears to be normal behavior. Attackers can remain hidden for years, and in some cases were only discovered when surveillance tools caught them elevating privileges.
To limit the damage caused by malicious lateral movements, information technology (IT) administrators should:
- Foster a Zero Trust culture that assumes attackers have already gained access to the network or cloud environment.
- Apply the Principle of Least Privilege (PoLP).
- Create a graphical database that maps the organization’s access points.
- Identify access points that provide direct access to the organization’s most valuable assets.
- Identify the access points most exposed to attacks.
- Use network segmentation whenever possible to limit attack surfaces.
When malicious lateral movement is detected, IT administrators and security engineers should revoke the attacker’s access as soon as possible and isolate compromised network segments.
The Incident Response Team should immediately perform a forensic audit to determine how the attacker gained access, what digital assets were accessed, and what damage, if any, was caused.
The audit process should also review business rules for securing access privileges and recommend actions to close security gaps that could lead to further harm.
Techopedia Explains Lateral Movement (Cybersecurity Attack)
People should view lateral movement not as an attack per se, but as a critical phase of an attack where the attacker is looking for their next machine or identity to compromise after gaining a foothold.
Ideally, the attacker would like to compromise an identity with administrative privileges (a privileged identity), but that’s not always possible, so they have to travel to find ways to gain those privileges by reaching an identity that has what he needs.
They can do this by:
- Assuming Roles – If the identity the attacker has compromised has privileges to assume roles with privileged access to sensitive assets, this can be very risky for the organization.
- Shadow Admins – The attacker can also try to obtain a collection of privileges which results in the same level of access even without the definition of admin. These unofficial admins are called shadow admins and can be harder to identify because they don’t officially have admin privileges.
- Vulnerability Exploitation – The traditional “in-the-perimeter” lateral movement method was to compromise a machine and then use it to move on to a more interesting target by exploiting a software vulnerability in the product or weaknesses like “pass-the- hash” to escalate their privileges. In more modern cloud workspaces, identity is key, so identity theft has become a target of attack.
Lateral movement plays an important role in many types of cyberattacks, including business email compromise (BEC), spear phishing, and whaling. In these types of social engineering exploits, the attacker will first try to steal the identity of a high-ranking employee, relying on the idea that executives are more likely to have privileges administrative than lower-level employees. If that strategy doesn’t work, they’ll just look for an easier way to gain access from a less privileged identity, then use their new credentials to continue the attack incrementally.
Lateral Movement in the Cloud
The widespread adoption of software as a service (SaaS) and hybrid cloud infrastructures has increased the number of identities that IT administrators must manage and secure. Unfortunately, the likelihood of these identities being compromised has also increased. In a distributed IT infrastructure, line of business (LOB) managers are often tasked with managing access for their department’s niche Software as a Service (SaaS) applications. Unless mechanisms are in place to provide visibility into cloud access permission levels, it can be difficult (if not impossible) to know when accounts are overprivileged. Another issue is that cloud-based identity and access management (IAM) tools can also be compromised and used to carry out an attack.
Importance of limiting risks
While prevention is ideal, companies should also do what they can to limit the blast radius. One of the challenges these teams face is the lack of visibility. Even when an organization uses an Identity Governance and Administration (IGA) tool or an Identity Provider (IdP), it can be difficult to understand access activity through peer-to-peer access provisioning. -peer, non-federated identities (those not in Okta, Azure AD, Ping Identity), and orphaned credentials left behind by employees who have changed roles within the organization or moved to another post.
A formal malicious lateral movement detection plan can help administrators set enforceable policies that scale access and continuously monitor privilege proliferation. The discovery plan should improve visibility by answering the following questions:
- What are the organization’s most valuable assets?
- Who already has access privileges for these resources?
- Who has administrative privileges?
- What is the process for granting access privileges to new users?
- What is the process for escalating access privileges?
- How are access rights to the asset controlled?
- Who is responsible for addressing privilege proliferation?
- What process to follow when the attack is local?
- What process should be followed when the attack takes place in the cloud?
Importance of thinking like an attacker
If IT administrators and LOB managers want to beat attackers at their own game, they need to start thinking like an attacker. Today, defenders generally follow lists of best practices and compliance regulations to improve their security. The problem is that attackers who use lateral movement don’t think in terms of lists – they think in terms of graph theory. Their plans do not involve checklists. They are more like maps that show how the attacker can move laterally from the initial compromise (point A) to a fairly low level target (point B) and use point B to gain access to the final target (point C). They care little about the process, just the results.