Understanding Lateral Movement and How to Detect It

Gaining access to a single system is rarely the end goal for an attacker. Once inside a network, attackers will almost always need to move off that endpoint to maintain persistence, conduct reconnaissance, and look for ways to escalate their privileges. They’ll look for credentials to steal, files
to infect, vulnerabilities to exploit, and attack paths that provide access to
their ultimate targets.

The recent attack on the Colonial Pipeline involved significant lateral movement, effectively demonstrating the depth of the
problem. That attack was not an isolated incident—nearly every major breach now involves lateral movement, and stopping it must be a top priority for today’s enterprises.

Lateral Movement and Active Directory

Lateral movement broadly applies to an attacker’s activity within the network after penetrating perimeter defenses, using various tactics, techniques, and procedures (TTPs). Today’s organizations must understand those TTPs and ensure that their controls are effective across on-premises, remote, and cloud attack surfaces. The MITRE ATT&CK framework plays a beneficial role in organizing techniques and tactics, providing organizations with a guide to identify security gaps and controls they can use to cover them.

It is important to think about the role played by both endpoint protection and identity protection and how these security tools work together. Active Directory (AD) is usually co-owned by multiple departments, and organizational complexity can often leave this highly vulnerable and critical application inadequately protected. Incorporating AD into a lateral movement program should be a priority—after all, if attackers can compromise AD, it is effectively game over.

Stages of Lateral Movement

The first stage of lateral movement is reconnaissance. As its name implies, this is the stage where attackers explore the areas of the network they have access to, identify vulnerabilities, and look for critical assets. This activity helps attackers understand organizational data like host naming conventions and network hierarchies and helps them locate valuable information and systems. Attackers often use tools like Netstat and PowerShell to get the lay of the land within the network and learn about its defenses. These tools can be complicated for defenders to detect and often help with activities like port scanning. Effective reconnaissance helps attackers plan their movements better.

The next stage involves credential misuse. Valid credentials are like gold to attackers. The 2021 Verizon Data Breach Investigations Report (DBIR) found that 61% of all breaches now involve credential data such as stolen or leaked credentials. Social engineering tactics like phishing and business email compromise (BEC) attacks are typical tactics attackers use to covertly obtain valid credentials, though they are far from the only methods. Using valid credentials is a great way for attackers to move within the network without setting off any alarms.

Next comes privilege escalation. Attackers want to exploit AD to help with network discovery and to gain privileges that allow them to change security controls and remain hidden. Ultimately, attackers want to escalate their privileges to administrator status, which usually means compromising AD. If the attacker can compromise AD, they essentially have the keys to the castle, and it is tough to remove them from the network.

Suppose an attacker has been able to conduct reconnaissance, gain access to credentials, and escalate their privileges. In that case, they will likely repeat the process across various hosts until they find what they are looking for—user data, financial information, intellectual property, or other assets. Without robust in-network security, attackers can search for valuable data indefinitely. Putting a stop to this behavior is possible—and becomes more manageable when organizations use technique-based detection rather than relying solely on matching patterns or identifying signatures.

Detecting Lateral Movement

Active Directory is notoriously difficult to secure, with red teams often noting that they can compromise AD close to 100% of the time in security exercises—which means attackers can, too. Recent incidents underscore the fact that it is impossible to stop every single attack, so having a plan for what happens once an attacker is inside the network is critical. Organizations must visualize potential attack paths and detect exposed and otherwise at-risk credentials, permissions, and entitlements because attackers will target them. Attack path visibility can also help defenders anticipate attackers’ actions, allowing them to automate some aspects of defense.

A little trickery can go a long way here. Detecting lateral movement isn’t just about identifying and remediating vulnerabilities—defenders can also cloak or hide real credentials, AD objects, and the files that attackers are after. Hiding production items and feeding fake information back to attack tools throws attackers off course. In addition, cyber deception based on deceptive credentials and other decoy assets designed to appear authentic can trick attackers into interacting with them and giving away their presence. Once an attacker has engaged with the decoy environment, defenders can safely study and gather intelligence on the attacker—who remains blissfully unaware that the environment they are in is not real.

This tactic is especially valuable when it comes to protecting AD. Logs and SIEM management provide incomplete information and represent a reactive approach to security rather than a proactive one. Hiding critical AD objects and local administrator accounts can prevent attackers from extracting the information they need to elevate their privileges and escalate their attacks. Effective alerting on unauthorized or suspicious queries to AD can raise alerts at the point of attacker observation, which will mitigate the progress they can make and the damage they can cause.

Focus on Lateral Movement

Lateral movement detection remains a critical but underserved area of security. Today’s enterprises must shift their focus away from perimeter protection and toward in-network defenses capable of preventing and detecting lateral movement.

It is essential to understand that lateral movement is not just one technique—and for comprehensive protection, defenders need the ability to detect credentials misuse and attacks on AD. A security program without in-network detection is like a house with no interior support beams—it might appear stable from the outside, but sooner or later, it is bound to come crashing down.

Lead image via TheDigitalArtist on Pixabay