Lateral movement is a form of cyberattack in which cybercriminals gain access to a network, then move across that network, compromising other accounts and devices in search of sensitive data, proprietary information, and other assets of value.
Attackers then maintain ongoing access to the network, often getting their hands on credentials and increasing privileges by leveraging various tools. A lateral movement attack can remain undetected for a long period of time, allowing attackers to do significant damage. For someone running a business, it’s critical to employ measures to detect and prevent lateral movement to avoid data breaches and other detrimental consequences.
How does a lateral movement attack work?
A lateral movement attack occurs in several stages.
The first step of a lateral movement attack is to obtain legitimate credentials to access the network. Threat actors will perform external surveillance on the target organization to understand its network and to look for opportunities to gain access by exploiting human negligence and error, poor security, or weak password policies.
Initial entry may occur in several ways:
- Through an endpoint device via typosquatting (i.e., URL hijacking) or a phishing attack that installs ransomware.
- Using stolen user credentials from a data breach or password dump.
- Using Shodan, a search engine for internet-connected devices, to identify open ports and vulnerabilities on the network.
Once they have credentials, attackers will access the permissions of the compromised account and what it has access to.
Successfully orchestrating a targeted attack requires planning and persistence. Well-resourced attackers can usually infiltrate a targeted organization even if it means they must first target individuals off-network via their personal accounts.
Using stolen credentials, threat actors can then explore, observe, and map the network, devices, and users to find out as much as they can. They gather information about the network hierarchy, server resources, and operating systems to learn the environment and identify vulnerabilities.
Because attackers want to remain undetected and maintain ongoing access to the compromised network, they will avoid known malware exploits that standard security information and event management (SIEM) tools can detect. Attackers will attempt to camouflage their activities as normal network traffic since any sign of unusual network activity might alert administrators.
Credential theft and privilege escalation
Once inside the network, threat actors will look for new devices to compromise in order to extend their control. They’ll move stealthily through network assets and accounts using diverse techniques to find user credentials with greater permissions.
In this phase, attackers typically employ more advanced techniques than in the initial compromise phase in order to steal credentials and escalate privileges. These methods include the following:
- Pass the hash: authenticates without the user’s password by bypassing standard authentication steps to capture valid password hashes.
- Pass the ticket: authenticates using Kerberos tickets. The goal of attackers is to elevate the privileges of the current compromised user to domain administrator privileges and gain complete control of the domain. If they gain access to a domain controller, they can generate a Kerberos “golden ticket,” which gives them indefinite access to any user, computer, or service on the domain.
- Mimikatz: steals cached plaintext passwords or authentication certificates from a compromised machine, that can then be used to authenticate other machines.
- Keylogging software: captures passwords directly as users enter them via the keyboard.
Ongoing lateral movement
Attackers will “live off the land,” so to speak, using processes and remote tools that are already installed on the host system to avoid detection. For example, they may use PowerShell, Windows Management Instrumentation (WMI), PsExec, and remote access software to perform network discovery.
Since IT teams often use these tools to perform maintenance on desktops, it may take a while to recognize this activity as an attack. A successful lateral movement attack could span months and affect a vast attack surface as the hackers establish a strong foothold within the network. During this time, attackers create back doors to ensure continued access should security teams discover other access points; all the while, they’re also looking for opportunities that can lead to further attacks.
In short, lateral movement attacks can snowball the longer they remain undetected. As attackers gather more privileged credentials, they perform ongoing reconnaissance and further credential theft. As they become more familiar with your network, it becomes easier to navigate and steal additional credentials and extract data. This makes it critical to detect lateral movement as soon as possible.
But before we get into the steps you can take for detection, let’s explore the impact such an attack can have on your organization.
Consequences of a lateral movement attack
From data and capital to organizational reputation and client trust, the losses incurred by a business due to a lateral movement attack can be extensive.
Loss of data
One of the primary aims of a lateral movement attack is to expose valuable intellectual property such as project source code and personal customer data, as well as other proprietary business information like trade secrets, research findings, or patents. Attackers can then demand ransom, sell the information on the black market, or use it in fraudulent activity.
The extent of such a data breach can be staggering. For example, in 2020, the SolarWinds supply chain fell victim to one of the largest hacks in recent history. It affected hundreds of government and private entities across the world. Threat actors used a backdoor loader called Raindrop to deploy and distribute malware across the Orion network management system that SolarWinds customers used to manage their network resources. Hackers then used the back door to install more malware, exposing the data and networks of not only SolarWinds customers, but other organizations as well.
Damage to reputation
Attacks can cause loss of customer and shareholder trust, damaging your brand and reputation. Customers don’t want to be associated with a business that cannot protect their personal data. If confidential customer data is used in fraudulent financial activity or identity theft, or is sold on the black market, customers won’t be confident in the organization’s ability to keep their personal and financial data safe.
Cyberattacks such as lateral movement hacks can cause substantial financial losses. A 2020 McAfee report estimated that global financial loss from cybercrime had reached almost $1 trillion. Other sources estimated the cost of cybercrime to be as much as $6 trillion.
One example of a costly breach was the Colonial Pipeline attack, where cybercriminals used compromised credentials from a dark web leak to enter the network via an inactive VPN account. The resulting ransomware attack caused Colonial Pipeline to shut down its entire network in May 2021 for the first time in 57 years of operation. The attackers demanded a $5 million ransom, which Colonial paid the day after the attack, but it took an additional five days for them to be back in operation.
Besides losing money from ransom payments or loss of productivity, companies can suffer more financial loss through fraudulent transfers from customer and business accounts, a decline in business investment, and company devaluation in the stock market.
Attacks can also result in legal costs from civil lawsuits, costs associated with remediating an attack, and financial penalties for breaking compliance with regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS).
There’s also the cost of hiring incident response and cybersecurity teams to repair and recover from the effects of the attack, which might include an overhaul of all your security systems.
With the onerous consequences of cybercrimes such as lateral movement attacks, it’s worth looking more closely at how to detect them early on.
How to detect lateral movement
A lateral movement attack requires meticulous and detailed planning by the hacker. To mitigate these attacks, security teams must employ internal network intelligence to detect which users and devices are on a network and their typical login patterns.
Lateral movement extends the dwell time of a threat actor, giving them access to a system for weeks or months after the initial compromise. Because attackers attempt to avoid detection by the security team, it becomes more difficult to know the likelihood you’re experiencing an attack, where to look, and its origins and level of infiltration into the system when found.
The average breakout time for a lateral movement attack is just under two hours. This means it’s important to detect a breach as soon as possible. Here are some ways you can do so.
Look for behavioral anomalies
Behavioral anomalies are often the best indicator of lateral movement. Security teams should become familiar with the tools and resources that network administrators typically use and access. This allows them to create a benchmark for expected behaviors so they can identify outliers and discrepancies in the administrative tasks being performed.
Closely monitoring login activity can also give you the opportunity to detect suspicious activity before a more serious compromise occurs. Look for activity such as a user logging in after working hours or other unusual times.
Monitor devices that use multiple credentials, and use log analysis from authorization and authentication systems to help identify credential abuse. Analyzing credential usage can help you spot attackers trying to gain privileges and explore the network.
File servers are a prime target for lateral movement attacks. Threat actors look for file servers that can be accessed to encrypt and extract sensitive data. Monitoring and analyzing logs from file servers can help you spot attackers trying to steal data.
Use tools to benchmark typical network behavior
Set up tools to help you recognize and benchmark typical network behavior so you can more easily identify credential abuse, suspicious failed login attempts, or unusually elevated privileges.
Program network traffic analysis tools to recognize suspicious behaviors that could indicate attempts by hackers to conduct internal reconnaissance. Behavioral analysis tools can also help you identify user and network activity that deviates from normal behavior.
SIEM tools also detect stealth activity associated with lateral movement attacks. Even though their rules may raise too many alerts, it’s still a good idea to pay attention to red flags on familiar tools. Attackers use legitimate tools such as PSExec PowerShell and Netstat to survey the network environment, so monitoring activity around these tools could help you detect a lateral movement hack.
Proactive threat hunting can help security teams identify suspicious behavior that might otherwise slip through the cracks. This method uses machine learning, research on emerging threats, and familiarity with the network environment to identify the most likely and dangerous threats to the environment. When this process is combined with automated alert systems, teams can be more accurate at detecting lateral movement hacks.
How to prevent lateral movement
In a successful lateral movement attack, hackers are able to move undetected across the landscape of your network. One way to make this more difficult for attackers is by adopting a zero trust model for your network security. Zero trust is a security and data framework that employs several mechanisms to curb access and inhibit movement within your network.
Specifically, initial network authentication isn’t enough to grant full access to network resources. Every user, device, application, workload, and data flow inside and outside the network is considered untrusted: They must be explicitly authorized and authenticated before being granted access to any resource.
Here are some of the zero trust techniques you can implement to minimize lateral movement.
Single-use ephemeral keys
Short-lived single-use authentication keys help minimize vulnerabilities caused by weak credentials. When all permissions are ephemeral and terminate at the end of each session, hackers have less time to compromise a user’s device or use stolen credentials.
For example, using ephemeral authentication keys on short-lived workloads such as containers or Lambda functions can prevent attackers from breaking through laterally between modules.
Principle of least privilege
The more privileges a user has, the more attractive they are to a threat actor. Zero trust uses the principle of least privilege (PoLP) for access control. Each user is assigned privileges based on their role, with users receiving the minimal amount of access to the data, applications, or systems they need to perform their tasks. Giving users the minimal amount of privileges necessary reduces the amount of damage attackers can do with a single account.
The principle of least privilege should apply to both user and service accounts, as threat actors often target overprivileged service accounts that aren’t being monitored. Tailscale’s decentralized VPN service helps you maintain PoLP practices with the use of access control lists to ensure users have only the level of access they need.
Network segmentation divides the network into smaller groups with specific workloads, allowing you to isolate systems, applications, and other assets to reduce the spread of lateral movement across the network.
Segmentation can apply to several network assets, including applications, containers, endpoints, and clouds, by isolating them into different protected groups. To access the entire network, attackers would need to breach the various security mechanisms of each protected segment. You can also go a step further with microsegmentation — that is, segmenting based on the context of the user, role, application, and data.
Segmentation limits the blast radius of a lateral movement attack to one section of the network, minimizing its impact and giving security teams more time to detect, respond, and mitigate the attack.
Continuous verification embodies the zero trust mantra of “Never trust; always verify.” Every asset and user trying to access a network system or resource is considered a potential threat and must be verified. There are no trusted zones, devices, applications, or credentials.
Instead of performing a one-off validation at the point of entry, the continuous verification process grants access to network resources based on a user’s acceptable level of risk. It ensures that a user is who they say they are before they are allowed to move through the network.
Authentication can change according to risk behavior. Risk profiles for users and devices are evaluated based on contextual information such as user identity and behavior, geolocation, evasion detection, and device reputation.
Depending on the result of the contextual evaluation, the user may be granted access to the resource, prompted for additional authentication information, or denied access if they are considered high risk.
One reason attackers were able to use an inactive VPN account to access the Colonial Pipeline network was that multifactor authentication (MFA) had not been enabled. MFA provides an additional layer of security on top of the standard username and password credentials and increases the effort attackers need to make to compromise the account. MFA uses standard credentials combined with an additional authenticator such as a fingerprint scan or PIN sent to an email or a mobile device.
Using MFA to access data, applications, and internal systems helps to combat password guessing and brute-force attacks, and it significantly reduces the chance that attackers can use compromised credentials to access network assets. Tailscale, for example, coordinates with your identity provider to automatically use their authentication settings (like MFA) to authenticate users.
Mitigate lateral movement attacks with Tailscale
The effects of a lateral movement attack can cause lasting damage to your reputation and finances; every business should know how to detect and prevent these cyberattacks.
Understanding your network environment and employing tools to detect behavioral anomalies and other outlier activities can help you detect lateral movement before major damage is done. Implementing zero trust principles can prevent attackers from moving further into the network after the initial compromise.
Tailscale is a zero-config VPN for everyone, from home hobbyists to security-conscious enterprises. It uses a zero trust security model that can help prevent lateral movement within a network.
Unlike traditional VPNs, which give users access to everything within the network and route client traffic through a central server, Tailscale connects users and services using end-to-end encrypted mesh connections, removing the need for a central server. Devices form direct peer-to-peer connections in a mesh network using direct IP-based connectivity and centrally controlled packet filters on each node that help prevent lateral movement.
Each node in the Tailscale network has its own centrally configured firewall. With role-based access control (RBAC), you can also limit which users, devices, and applications can connect to each other on the network.
Tailscale is available for Windows, macOS, iOS, Android, and Linux. Download Tailscale now and try it for free.
Get started with Tailscale today.
Frequently Asked Questions
Here are some common questions about lateral movement attacks and their answers.
What are the phases of a lateral movement attack?
In the first phase of a lateral movement attack, hackers gain initial entry to a network through compromised credentials or other vulnerabilities, then use this foothold to stage internal reconnaissance, gathering information about the network and identifying additional vulnerabilities. The attackers look for new devices to compromise in order to extend their control, and — if the hack remains undetected — maintain an ongoing presence to identify opportunities for additional attacks.
How do you detect a lateral movement attack?
Behavioral anomalies are often the best indicator of a lateral movement attack. Security teams should become familiar with the tools and resources that network administrators typically use and access, and closely monitor activity for aberrations that could indicate an attacker at work. Proactive threat hunting can also help security teams identify suspicious behavior that might otherwise slip through the cracks.
What are strategies for preventing a lateral movement attack?
Securing your network with a zero trust model can make it much more difficult for attackers to gain entry to your infrastructure, and it can help contain the damage if a breach is made. Elements of a zero trust model include adopting single-use ephemeral keys, following the principle of least privilege, segmenting your network, and enforcing the use of multi-factor authentication.