What is the Lateral Movement in Cybersecurity?
As more people and organisations become victims of cyber-attacks, the attacks themselves are becoming more widespread and complex. One such attack that is particularly sophisticated is known as the Cyber Lateral Movement.
Because these attacks are sneaky and difficult to detect, most traditional security measures have a tough time identifying the attacker or any malicious code that moves within a network. These attacks are, therefore, very effective and profitable for the attacker, allowing them to infect large numbers of systems.
Recent data reports indicate that many organisations have inadequate cybersecurity practices, which makes them vulnerable to similar security threats such as data loss and malware infection.
Hence, it is crucial to comprehend the anatomy of lateral movement attacks and how they usually work to stay up to date with the constantly evolving cybersecurity landscape.
What Exactly is the Cyber Lateral Movement?
Consider a scenario where a group of robbers break into a house through an open window, then split up and enter different rooms. Even if one robber is caught in one room, the others can continue looting.
Similarly, lateral movement in cybersecurity is a method used by attackers to gain access to various areas of a network, such as servers, endpoints, and applications, making it challenging to contain the attack.
Lateral movement is the term used to describe the movement of a cyber attacker within a network. This technique is utilised by cyber attackers to surreptitiously investigate a target network or cloud environment, identify its weaknesses, and elevate access permissions to reach their target.
How Does the Lateral Movement Attack Occur?
A lateral movement attack typically involves three main stages:
Stage 1: Reconnaissance
Planning and persistence are crucial to successfully executing a targeted attack.
During this phase, the threat actor explores the network to develop an understanding of naming conventions and network hierarchies and pinpoint other weaknesses. By doing so, they can formulate a plan to get deeper inside the network.
Stage 2: Infiltration
Even an advanced attacker can struggle to infiltrate a targeted organisation, so they may resort to first targeting a victim off-network via their personal accounts.
Remember, the initial exploit is just the beginning. The attacker must then map out the organisation's network, move laterally to other devices, and gain access to desired servers or data.
To do so, the attacker uses credential dumping¹ and privilege escalation² using login credentials (usually gained via phishing) to gain access to different parts of the system.
¹Credential dumping refers to the act of gathering login credentials, including usernames and passwords, from software applications. This is usually done by obtaining a hash or a clear-text password.
²Privilege escalation is a form of network attack used to breach a security perimeter and acquire unauthorised access to systems.
Stage 3: Access
Once the attackers locate the target system or data, they can begin their attack, which could include supplying a malware payload, exfiltrating or other possible actions. They can either steal, manipulate, destroy, or hold those desired resources, hostage.
How to Prevent Cyber Security's Lateral Movement?
One prevalent type of cyber attack involves stealing a security token to gain access to another device or server. For instance, an attacker may use a stolen hash to authenticate themselves, known as 'pass the hash.' Thus, it is essential to protect all credentials on a network, especially administrator accounts, to prevent attackers from accessing devices and systems.
- Do not store passwords in plain text; store password hashes in secure areas.
- Utilise devices with hardware-backed credential storage when feasible.
- Only use work credentials on approved devices and services.
Deploying Multi-factor Authentication (MFA)
To combat brute force and password-guessing attacks, Multi-factor Authentication should be used for internet-facing services. Additionally, MFA can be used as a physically separate factor on high-privilege devices that malware cannot remotely use.
As new system vulnerabilities are regularly being found, determined attackers will ultimately gain access, no matter how well-protected your web/network is. Therefore, network monitoring is critical to identifying breaches and reacting promptly.
- Turn on logging and auditing features on your systems and use them to detect unusual activity.
- Maintain an audit or record of all devices that can connect to your network and understand high-value assets.
- Comprehend and become familiar with your network and how it is typically used.
Protecting High-Privilege Accounts
- Administrators should utilise a regular account for normal user activities and a separate administrator account solely for administrator activities.
- Whenever possible, use separate devices for regular and administrator accounts. If not, consider using the 'browse down' approach.
- Finally, lockdown administrator accounts to prevent high-risk actions such as browsing the web and accessing emails.
Attackers have been using trust as a means to infiltrate systems and move laterally within them for a long time. They exploit both the trust gained through authentication and the trust that is natural for humans. If you wish to prevent this, trust must be removed from the equation.
Zero Trust architecture enforces access based on the user's role and location, their device, and the data they are requesting. This ensures that inappropriate access and lateral movement are blocked throughout the system. At Instasafe Technologies, our Zero Trust solution follows the principle of "Never Trust, Always Verify" to enable secure connectivity to private applications while preventing unauthorised access and lateral movement.