The Anatomy of Lateral Movement Attacks - Instasafe
Digital attackers or hackers move in a very different way than traditional criminals. Hence, understanding their methodology is crucial to preventing attacks and securing networks. Their ways of entry, targets, and intentions are just some of the important aspects of understanding how an attack on digital assets takes place. However, one of the often misunderstood aspects is the ‘movement’ of the attackers.
Attackers who successfully manage to break defences and penetrate a network have a specific goal. Sometimes it is merely exploiting weakness, or it is conducting penetration testing.
However, in the majority of cases, the goal is accessing valuable information, stealing digital assets or planting an espionage-conducting array of tools. To achieve their goal, an attacker need not compromise the targeted machine in the initial phase at all. And this is where ‘Lateral Movement Attacks’ come into play.
What is Lateral Movement Attack?
It is important to understand that when hackers or attackers break into an otherwise secure network, the first compromised device is not the ultimate destination. The first device attacked and broken into is merely a means to an end.
Attackers usually snoop around and look around for the weakest chain in the link. This means they are hunting for the most vulnerable, exposed or otherwise weakly secured computer in the network. Such devices can be in the form of a low-level web server, email account, employee endpoint device, etc.
Once such a device is compromised, attackers then attempt to move further into the targeted network. The first attack is generally harmless or causes the least damage. However, a successful attack allows the attacker to move laterally within the now exploitable network. This is referred to as ‘Lateral Movement Attacks’.
Lateral movement attack is a means to an end. Determined attackers routinely use this technique to identify, attack, compromise, and successfully gain access to sensitive data. Attackers can use multiple tools and methods to gain even-higher privileges and elevated access. This allows them to move laterally (sideways; between devices and apps) through a network. Attackers use a successful lateral movement attack to map the system and identify more targets. However, their goal is always clear. The attack is a means to get to the target.
Understanding the Anatomy of a Lateral Movement Attack:
A lateral movement attack can begin in multiple ways. Typically, an attacker attempts to compromise a machine to get inside a network. The first attack is usually on an external device that connects to a network. Such an attack involves intercepting what is called ‘North-South’ traffic. However, once the attackers have gained entry into the network, they can move laterally or horizontally within the network to reach their objective. This is referred to as ‘East-West’ traffic.
Traditionally, cyber-attacks took place on the device that was the ultimate target. However, modern-day Advanced Persistent Threats (APTs) are vastly different from the rather simplistic cyberattacks of the past. Determined individuals or teams attempt multiple methods and use several tools to compromise a network.
It is interesting and concerning to note that attackers usually manage to penetrate a system through a phishing attack or malware infection. Such attacks take place on ‘endpoint’ devices. There can be several such attacks simultaneously. Their primary goal is to gather information about multiple systems and accounts, obtain credentials, and escalate privileged access. However, the ultimate goal is still far, which is identifying the location, and gaining access to, valuable or sensitive payload.
Incidentally, once the attack and compromise of the endpoint device are successful, the attacker usually impersonates a legitimate and authorized user. They can then move through multiple systems in the network without raising a lot of suspicions.
What Are Common Stages Of Lateral Movement Attacks?
There are three main stages that are completed sequentially while conducting any lateral movement attack. These are reconnaissance, credential/privilege gathering, and gaining access to other computers in the network.
Every attack starts with observation and information gathering. During this primary stage, the attacker merely observes, explores and maps the network, its users, and devices. The information is helpful in understanding naming systems, network hierarchies, identify operating systems and acquire intelligence.
Attackers deploy several tools to understand where they are, and where they need to be, inside a network. Some custom and several open-source tools come in handy while conducting reconnaissance such as port scanning, proxy connections, etc. Sophisticated attackers can even use built-in Windows or support tools as these are the most difficult to detect by security teams.
Once the attacker has identified critical areas to access, the next step is gathering login credentials. These credentials allow an attacker to act as an authorized or legitimate user and move in the network without being seen or their activities tagged and monitored as suspicious.
Credential Dumping and Privilege Escalation:
To successfully conduct a lateral movement attack, an attacker needs valid, and possibly multiple, login credentials. The term used for illegally obtaining credentials is called “credential dumping.” Attackers usually rely on social engineering tactics such as phishing attacks to trick users into sharing key pieces of information. Attackers can also rely on several other techniques such as keyloggers, Mimi Katz, Windows Credential Editor, etc.
It is concerning to note that several users unwittingly create vulnerabilities within the network. Poor or easily guessable passwords, default passwords, old passwords, etc. are often easy targets. In fact, poor password hygiene has been one of the biggest concerns of companies across the world.
The goal of obtaining multiple credentials is to allow ever-higher access within the network. In fact, privilege escalation is key to gaining access to the payload. With the right login credentials, attackers can easily steal data without raising any alarms. Such attacks are rare and are the hardest to detect.
Gaining Access to The Payload:
Attackers can repeat the above-mentioned actions multiple times to gain access to sensitive data or payload. However, the ultimate goal, almost always, remains unchanged. Attackers could perform internal reconnaissance and then bypass security controls to compromise successive hosts multiple times. But their aim is to get to the target.
It is important to note that once an attacker has secured administrative privileges, they gain deeper access into a network. Here on, any malicious lateral movement attack can be very difficult to detect. This is because the movements and actions usually appear to be “normal” network traffic conducted by authorized users.
Attackers conducting lateral movement attacks usually aim to move very quietly within the target network. This is because there has been a lot of effort to gain access. Moreover, an alarm at this stage is quite problematic. Detection can not only render the attack futile; it can also force the target to improve security and deploy policies that can make the next attack nearly impossible.