What Does Lateral Movement (Cybersecurity Attack) Mean?
Lateral movement is a technique that cyber-attackers use to stealthily explore a target network or cloud environment, learn its vulnerabilities and escalate access privileges to reach their target. The goal of malicious lateral movement is to gain access to the target, explore as much of the target as the attacker's access credentials allow and look for other vulnerabilities that can be exploited to escalate privileges. Typically, a malicious actor will look for a misconfigured device, vulnerable software application, or access credential that can be compromised.
Lateral movement plays an important role in security breaches, including advanced persistent threats (APTs). In this type of prolonged attack, the perpetrator remains hidden inside the target for an extended period of time, waiting patiently for the right opportunity to escalate the attack. Security and network monitoring tools will not issue alerts when credentialed entities move laterally across a network or cloud environment because this type of movement appears to be normal behavior. Attackers can remain hidden for years and in some cases, have only been discovered when monitoring tools caught them trying to elevate privileges.
To limit damage from malicious lateral movement, information technology (IT) administrators should:
- Foster a Zero Trust culture that assumes attackers have already accessed the network or cloud environment.
- Enforce the Principle of Least Privilege (PoLP).
- Create a graph database that maps the organization’s access points.
- Identify which access points provide direct access to the organization’s most valuable assets.
- Identify which access points are most at risk for attack.
- Use network segmentation whenever possible to limit attack surfaces.
When malicious lateral movement is detected, IT administrators and security engineers need to revoke the attacker’s access as soon as possible and isolate the compromised network segments.
The incident response team should immediately conduct a forensic audit to determine how the attacker gained access, what digital resources were accessed, and what -- if any -- damage was done.
The audit process should also review the business rules for securing access privileges and recommend steps to close security gaps that could lead to further damage.
Techopedia Explains Lateral Movement (Cybersecurity Attack)
People should think about lateral movement not as an attack in itself, but as a critical phase of an attack where the attacker is seeking out their next machine or identity to compromise after they gain their foothold.
Ideally the attacker would like to compromise an identity with administrative privileges (a privileged identity), but this is not always possible so they have to move around to find ways to achieve these privileges by reaching an identity that has what they need.
They may do this by:
- Assuming Roles — If the identity that the attacker has compromised has privileges that allow them to assume roles with privileged access to sensitive assets, it can be very risky for the organization.
- Shadow Admins — The attacker can also try to gain a collection of privileges that results in the same level of access, even without the definition of admin. These unofficial admins are called shadow admins and can be harder to identify because they do not officially have admin privileges.
- Exploiting Vulnerabilities — The traditional method of lateral movement “within the perimeter” was to compromise one machine and then use it to move to a more interesting target by exploiting a software vulnerability in the product or weaknesses like “pass-the-hash” to escalate their privileges. In more modern cloud workspaces, identity is the key to access, so identity theft has become the focus of attacks.
Lateral movement plays an important role in many types of cyberattacks, including business email compromise (BEC), spear phishing, and whaling. In these types of social engineering exploits, the attacker will initially try to steal a high-ranking employee’s identity, relying on the idea that executives are more likely to have administrative privileges than lower-level employees. If this strategy doesn’t work out, they will simply look for an easier way to gain access from a less privileged identity and then use their new credentials to continue the attack incrementally.
Lateral Movement in the Cloud
The wide-spread adoption of Software as a Service (SaaS) and hybrid cloud infrastructures has increased the number of identities that IT administrators need to manage and secure. Unfortunately, the probability of those identities being compromised has grown as well. In a distributed IT infrastructure, line of business (LOB) managers are often tasked with access management for their department’s niche Software as a Service (SaaS) applications. Unless mechanisms are put in place to ensure visibility into cloud access permission levels, it can be difficult (or even impossible) to know when accounts are over privileged. Another issue is that cloud-based Identity and Access Management (IAM) tools themselves can also be compromised and used to conduct an attack.
Importance of Limiting Risk
While prevention is ideal, companies must also do what they can to limit the blast radius. One of the challenges that these teams face is a lack of visibility. Even when an organization is using an Identity Governance and Administration (IGA) or Identity Provider (IdP) tool, it can be difficult to understand access activity by peer-to-peer access provisioning, non-federated identities (those not in Okta, Azure AD, Ping Identity) and orphan credentials left behind by employees who have changed roles within the organization or moved on to another job.
A formal discovery plan for malicious lateral movement can help administrators to set enforceable policies that right-size access and continuously monitor for privilege sprawl. The discovery plan should improve visibility by answering the following questions:
- What are the organization’s most valuable assets?
- Who already has access privileges for those assets?
- Who has administrative privileges?
- What is the process for granting access privileges to new users?
- What is the process for escalating access privileges?
- How are access rights to the asset being monitored?
- Who is responsible for remediating privilege sprawl?
- What process should be followed when the attack is local?
- What process should be followed when the attack takes place in the cloud?
Importance of Thinking Like an Attacker
If IT administrators and LOB managers want to beat attackers at their own game, they need to start thinking like an attacker. Right now, defenders generally follow lists of best practices and compliance regulations to improve their security. The problem is that attackers who are using lateral movement don’t think in terms of lists – they think in terms of graph theory. Their plans don’t involve checklists. They are more like maps that show how the attacker can move laterally from the initial compromise (Point A) to a fairly low-level target (Point B) and use Point B to gain access to the final target (Point C). They care little about the process, just the results.