Lateral Movement

Picture this: your security team is busy with their typical day-to-day tasks when they notice a flurry of unusual activity. Nothing too out of the ordinary, but there sure were an awful lot of policy violation alerts. But that happens every day, no matter how much IT tries to hammer home good security practices.

But that blip was the first sign of trouble. Threat actors are now inside your system, quietly jumping from system to system with escalating privileges as they move. Before long, they've found the organization's crown jewels, your intellectual property, and are stealing all of it right under your nose. This is lateral movement in action.

What is lateral movement?

Once cyber attackers are inside, what do they do? The term "lateral movement" refers to one type of strategy for moving around within a compromised system. Once inside, the threat actor moves from system to system, looking for opportunities for privilege escalation to move deeper with the network.

Since many organizations place most of their security controls on the perimeter, lateral movement is an effective and commonly used method for gaining access to sensitive data, even if the initial compromise occurred on another server or system.

How lateral movement works

The attacker first obtains compromised account credentials to the target organization and begins looking for an entry point. Rather than go right for the server with the target data, the attacker instead attempts to access a less obvious or less secure server to avoid detection using remote access tools.

This way, it looks like regular network traffic and is difficult to detect. From here, the attacker moves from application to application (laterally) within the compromised environment, looking for ways to gain more privileges along the way. In this initial breach, the attacker may not take anything. They might merely survey the network environment to figure out the location of high-value and critical assets to attempt to steal later.

This more systematic approach makes a lateral movement attack challenging to detect. Security teams often don't realize there's a breach until it's too late. With so many false positives, IT departments suffer from "alert fatigue," and lateral movement-related security alerts are often for policy violations, which are a common occurrence.

By the time the breach is discovered, it could be weeks or months after the initial access. That is plenty of time for an attacker to make off with your organization's assets. So what are some methods to detect malicious lateral movement?

How to detect lateral movement

We recommend the following strategies to detect lateral movement:

  • Establish a baseline of what normal activity looks like: Without this baseline, it will be hard to tell what's anomalous network activity and what's not. Understand what a normal session for a particular user looks like.
  • Watch for changes in user behavior: Suppose a particular user typically only logs in to check his email during the workday and suddenly logs in at a different time or a different location and begins to move from application to application. In that case, this is a possible sign of malicious lateral movement.
  • Watch for unusual usage patterns: Time of day isn't the only sign of lateral movement. User sessions also follow a regular pattern. If it looks like applications are accessed randomly, that is a potential sign of trouble.
  • Keep an eye on unknown devices: In the age of BYOD, security teams have their hands full. Internal systems are now accessed regularly by employee-owned devices, which you'll have no idea if it's genuinely that person if valid login credentials are provided.
  • Employ a third-party service to assist in confirming identity: The service should provide a way to tie identity to known devices. Doing so could significantly decrease the risk of a lateral movement attack (Beyond Identity's passwordless platform does just that).

Examples of lateral movement

Here are a few situations where using lateral movement might make sense to an attacker:

  • A developer is working on a secret project. That developer uses the same password for work as his personal e-mail, which was involved in a recent data leak. The attacker can steal the project's source code by using the developer's login credentials and moving through the organization’s system.
  • An attacker knows the location of high-value assets in your organization's network. Rather than make that specific server their starting point, the attacker jumps across multiple systems in a pattern that looks more like a regular session, bypassing security controls and detection for several weeks.

How to protect against lateral movement

While difficult to detect, you can protect against lateral movement, as long as you follow some key concepts:

  • Follow a "least privilege" strategy when granting access: Otherwise known as zero trust, those who access internal systems should only have access to what they need to complete the given task. Lateral movement is made possible by granting blanket privileges, which the attacker exploits to move freely with the internal network. Make administrative privileges and network hierarchies a thing of the past.
  • Verify code commits: Only let verified corporate identities commit source code by employing a devops solution that can stop malicious source code from being merged into your system.
  • Use endpoint detection to monitor entry points: These applications monitor for known patterns that attackers leave behind as they attempt to gain access, making lateral movement attacks more visible. You can also isolate a compromised machine or system to prevent further damage and repair any damage done.
  • Use risk-based authentication: By using risk-based authentication you can set up real-time risk signals to enforce stronger access controls to all of your organization’s systems.
  • Get rid of the password: No matter what you do, passwords will always remain insecure, and traditional multi-factor authentication is a negative user experience, while still being insecure. Instead, move to passwordless authentication.
  • Enforce a strict security policy: Require device operating systems to be up-to-date with all security patches and software updates. If a device doesn't meet your standards, don't grant access, whether it's the CEO or a developer intern.

Preventing lateral movement is a complicated process that requires vigilance and experience. Tools like Beyond Identity Secure DevOps and solutions like passwordless MFA protect your organization from not only lateral movement attacks but all kinds of password-based attacks that put your organization at risk.