When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn What Is Lateral Movement in Cybersecurity?
Lateral movement is a technique that threat actors use to extend their reach within a target network. During this phase of a cyberattack, the intruder will use someone’s compromised credentials to explore the network, and look for ways to escalate access privileges until they have the user rights they need to complete their attack.
Malicious lateral movement can be difficult to detect because the threat actor is using legitimate user credentials and native network tools to move through the network. If the intruder is careful and escalates privileges incrementally, their activity will blend in with normal user behavior and not raise red flags.
Purpose of Lateral Movement
The primary purpose of lateral movement is to locate high-value targets without being detected. This technique is typically used right after the attacker gains initial access to their target, but lateral movement can be used any time the attacker wants to learn more about the network they have successfully compromised.
As they move laterally, the attacker can create multiple backdoors and redundant access points to make it more difficult for security incident and event management (SIEM) software to detect and block them. This redundancy provides the attacker with persistent access. It ensures if one compromised account is discovered and secured, they’ll still be able to access the network another way.
While they are exploring their target undetected, the attacker can also use this time to set up what they need to achieve their attack objective. For example, they might use a VPN app to set up an encrypted tunnel that will allow them to exfiltrate data without detection, or they might encrypt data for ransom or sabotage critical network infrastructure, depending on the attack’s objective.
Lateral movement plays an important role in advanced persistent threats. APTs are sophisticated, long-term cyberattacks in which the intruder establishes a foothold within a network and remains undetected for an extended period of time.
How Does Lateral Movement Work?
Successful lateral movement requires a combination of technical skill and knowledge of the target environment.
Malicious actors will often begin a cyberattack with a phishing or business email compromise (BEC) exploit to obtain a legitimate user’s credentials. Ideally, threat actors want to start off by compromising an account that has administrative privileges, but since this is not always possible, they will look for ways to compromise any account with legitimate credentials.
Once they are in, the intruder can use whoami or some other means to determine the compromised account’s access privileges. This knowledge will allow them to explore the network laterally and find other accounts, network vulnerabilities, or machines to compromise.
Typically, this phase of the attack involves looking for unpatched software, known security flaws, common misconfigurations in network services and software applications, weak system settings, and other security gaps that can be used in the security breach to escalate privileges.
Popular strategies for escalating privileges include:
Sideloading Malicious DLLs: This strategy involves placing a malicious DLL file in a location where a software application expects to find a legitimate DLL. As long as the app is legitimate, malicious activity will probably not be noticed by antivirus software. When the DLL is sideloaded by the application, it will run with the same privileges as the application itself. If the application has administrative rights, then the malicious DLL will also have those those rights.
Pass-the-Hash (PtH): This technique takes advantage of the way that some operating systems (OS) hash, store, and authenticate user credentials. If the authentication is performed using pass-the-hash techniques, the attacker could potentially capture a hash that belongs to a privileged user and log in with it.
Using Remote Execution Tools: Attackers can misuse the Remote Desktop Protocol (RDP) to execute commands that allow them to look for additional vulnerabilities. Because this protocol is often used by system administrators, its use by an attacker who has compromised legitimate credentials is not likely to raise a red flag.
Preventing Lateral Movement
Lateral movement can be challenging to detect and respond to because if the attacker is careful, their activity will appear to be legitimate user behavior, because they are using valid credentials and system tools. Key strategies to mitigate the impact of unauthorized lateral movement include the following:
- Separate the network into distinct zones to limit the attack surface and slow down the attacker’s ability to move freely across the network.
- Implement security controls that enforce the Principle of Least Privilege (PoLP) and require multi-factor authentication (MFA).
- Foster a culture of Zero Trust.
- Enforce the Principle of Least Privilege (PoLP)
- Implement AI-supported anomaly detection systems that can spot unusual behavior patterns.
- Keep all systems and software patched and up-to-date.
- Educate employees about security best practices to reduce the risk of credential compromise.
