What is Lateral Movement

Lateral movement techniques are widely used in sophisticated cyberattacks such as APTs (Advanced Persistent Threats). Attackers use this technique to access other hosts from a compromised system and access sensitive resources such as Box, shared folders, and credentials. These are then used to compromise other systems to elevate privileges or steal high-value credentials. These types of attacks can end up gaining domain controller access and gaining complete control over Windows-based infrastructure and business-related operator accounts.

How Lateral Movement Works

1. External reconnaissance: The first step for attackers is reconnaissance of the target organization. Reconnaissance activities include scanning external networks, using social media, and dumping passwords. The goal is to understand the target's network and learn the most successful attack vectors. For example, if a credential dump of a target organization's employees is available, an attacker may attempt to authenticate access to the organization's VPN or external email address. Open source tools such as Shodan may also identify open ports and vulnerabilities in targets without scanning.
2. Getting Inside: Once an attacker has identified an attack vector, they exploit vulnerabilities to gain access to the target's network. Attack vectors range from vulnerable devices to applications accessible over the Internet. This is a vertical movement from outside to inside. Once compromised, they can achieve their goals by moving laterally within the network.
3. Internal reconnaissance: Attackers gather information such as operating systems, network hierarchy, and resources used by servers to map the environment and understand where vulnerabilities exist. OS utilities available to attackers to perform internal reconnaissance include Netstat, IPConfig/IFConfig, ARP cache, local routing table, and PowerShell. Additionally, unsecured intranet pages can provide attackers with internal infrastructure documentation and the location of target data.
4. Credential theft: Once inside a network, attackers look for new devices that give them greater control. To move from system to system, it may attempt to gather legitimate user credentials using keyloggers, network sniffers, password brute force attacks, or phishing attacks to trick users into providing their credentials. However, it's not uncommon to find credentials on intranet pages, scripts, and other easily accessible files and systems. Attackers use these credentials to elevate their privileges and expand their access. The attacker's ultimate goal is to elevate their privileges to domain administrator to gain full access and control of the domain. An attacker with domain administrator privileges can target a domain controller and dump NTDS.dit from the system's volume shadow copy. This gives you access to password hashes for all domain users, including service accounts. If an attacker can obtain the KRBTGT password hash, they can create a golden ticket for unlimited access.
5. Further Compromise of Systems: With credentials to access target systems, attackers use remote control tools such as psexec, PowerShell, Remote Desktop Protocol, and remote access software to access systems. IT staff also often access desktops in this manner, so remote access is generally not tied to persistent attacks. However, attackers create persistent connections to the network, leaving multiple connection paths open. Finally, the attacker exfiltrates the data to the command and control server. In doing so, it uses techniques such as data compression, data encryption, and scheduled transfers to evade detection.

Best practices to prevent lateral movement

There are several best practices you can use to prevent and protect against lateral movement within your network.

1. Least Privilege: Each user should be properly categorized and set up with access only to the systems, applications, or network segmentation that they need access to for their job. For example, in a corporate network, devices such as desktops and laptops should only be managed by IT staff. IT staff should not give administrator privileges to users.
2. Whitelist: User-requested applications should be carefully evaluated. It is also useful to restrict applications with known vulnerabilities according to the list of trusted applications. If your application's functionality requested by the user is already implemented in another application, you may not need to enable the service. For example, NonPetya infected a major shipping company via an update to a third-party application.
3. EDR Security: Endpoint Detection and Response (EDR) solutions monitor online and offline endpoints, collect and store data about past endpoint events, and feed that data into actionable security intelligence feeds. and maps to known Tactics, Techniques, Procedures (TTPs). Gaining visibility into the data collected by your EDR solution can help you identify patterns and behaviors left by attackers as they try to gain a foothold in your environment. IT personnel can stop attacks in progress while quickly repairing damage, isolating infected systems to prevent lateral movement, and removing malicious files left behind by attackers.
4. Password Management: Enforcing password management is an important practice for protecting user accounts and dealing with the potential for lateral movement. Organizations should enforce strong and unique password policies across all privileged systems and accounts. Most importantly, administrators should follow good practices for account hygiene. For example, Microsoft recommends "change your password [KRBTGT] regularly."
5. Multi-factor authentication: Multi-factor authentication adds a layer of security to standard username and password authentication. It does this by implementing multi-factor authentication for access to internal systems, applications and data. Securing accounts with multi-factor authentication increases the level of effort required for attackers to compromise.

Summary

Abel Morales
Exabeam, Inc. Regional Sales Engineer

video on demand

The threat is in full view! Realizing effective log analysis with machine learning
～What is Exabeam, the next-Next-Gen SIEM Platform Exabeam?～

As targeted attacks and internal fraud continue to increase in recent years, an increasing number of companies are building mechanisms (such as SIEM) to correlate and analyze logs from multiple security products in order to implement appropriate security operations. . This is because it is difficult to visualize the impact of each incident using only the logs of security products that have already been installed, and threats may be overlooked. However, building such a system requires security-related knowledge, analytical know-how, and ideas. In this seminar, we will introduce “Exabeam” which realizes log analysis by UEBA (User Entity Behavior Analytics) technology and efficiency of conventional SIEM operation.

Click here to watch