The number of avenues for cyberattacks seems endless, especially during the digital era we’re experiencing right now. Lateral movement is just one example of a threat that has gained popularity; you may not know it by name, but it’s emerged as one of the primary threats to watch for.
A successful lateral movement attack lets adversaries compromise an existing system and access other hosted materials, such as shared credentials, folders and mailboxes. Here’s how organizations can defend themselves.
What Is Lateral Movement in Cybersecurity?
A lateral movement attack occurs when a bad actor infiltrates low-level digital infrastructure and uses it as leverage to then access related properties. Infiltrating lower-priority assets can open the doors to even more valuable digital information.
These can include various data types, such as financial and payment information and intellectual property (IP). Consider lateral movement attacks as a manifestation of the axiom “a chain is only as strong as its weakest link.” Following the breaching of one endpoint, hackers can use their captured credentials or exploited vulnerability to continue their unauthorized access throughout the network. This lateral movement can give them access to numerous other organizational assets.
Advanced persistent threats (APTs) are the most common type of cyberattacks made possible by lateral movement. The hacker may eventually gain access to the domain controller itself if the network has enough unprotected exploits, given enough time. They can then attack the entire digital infrastructure of a company, including its root accounts.
How Does Lateral Movement Work?
The hallmark of lateral movement attacks is that hackers use compromised network access at one point to gather information about other parts of the system. This includes accessing additional credentials, exploiting improperly configured features and taking advantage of software vulnerabilities.
Without the proper precautions, access at one point in the network can open up several others.
Hackers engaged in lateral movement typically do so using the following steps:
- Reconnaissance: The first step involves bad actors scoping out their target. Hackers might investigate external networks, social media activity and any stored credentials. So-called “credential dumps” may enable hackers to infiltrate organizational email accounts or virtual private networks (VPNs).
- Infiltration: These initial scans and probings will yield one or several potential attack vectors for the hacker. Once a weakness is found, the bad actor will attempt to use it to access other vulnerable accounts and hardware. This is where the “lateral movement” takes place. A single unsecured vulnerability can grant access throughout the organization’s network.
- Vulnerability study: Access to low-level accounts yields a wealth of information about operating systems, network organization and hierarchy, and the location of digital assets. Hackers can exploit operating system (OS) utilities such as IPConfig, ARP caches and Netstat to gather additional information about the target’s digital landscape.
- Additional credential and access theft: Hackers use this level of access to expand their control over the target network. Tools like keyloggers, phishing attempts and network sniffers can use one compromised IT area to gather information on another. This creates an ever-expanding web of control for the intrusive party.
- Further system intrusion: This is where the phrase “advanced persistent threat” comes into play. Enough uninterrupted access to these compromised assets allows attackers to continue their efforts by using control applications like PowerShell and remote desktop software. These persistent threats may go undetected through encryption and scheduled transfers.
How to Defend Against Lateral Movement Attacks
The right attention to several proven practices lets organizations take steps to safeguard the weakest links in their cybersecurity chains and prevent lateral movement attacks.
There’s no need to let lateral movement attacks undermine the advantages of investing in cloud services and digital infrastructure. Here’s how to mount an effective defense.
1. Principle of Least Privilege
The principle of least privilege means each member in an organization has credentials for and access to only the systems and apps they require for their daily work. One example is restricting administrative privileges to IT staff.
2. Whitelisting and Vetting
Vetting and evaluating all new applications is essential. Organizations should maintain a whitelist of apps that are known to be secure and a blacklist of those with known exploits. If a new application request reproduces features already offered by another, use the vetted app instead of the new one.
3. AI and EDR Security
Endpoint detection and response (EDR) is the gold standard for monitoring endpoints and flagging suspect events. Data collected using EDR tools can train AI-based cybersecurity software to watch for unauthorized access and other signals that might denote malicious network activity.
4. Password Hygiene
It feels like a basic cybersecurity measure by now, but the essentials will always be important. Any organization doing business online must coach employees and volunteers on good password hygiene. That means no repeated passwords across multiple properties or accounts and changing passwords regularly.
5. Two-Factor Authentication
Two-factor authentication (2FA), also called multifactor authentication (MFA), is another basic but essential bulwark against lateral movement attacks. 2FA ensures that if one set of access credentials is compromised, the would-be hacker requires access to a second device to verify their access permissions.
Knowledge and Prevention Are Key
Lateral movement is a major component of many modern cyberattacks. It takes advantage of unsecured lower-level network properties and leverages weak account protections. These techniques should go a long way toward hardening any organization’s network against this type of attack.