How to Detect & Protect Against Lateral Movement Threats

Lateral movement is a post-exploitation activity during which a threat actor tries to compromise adjacent IT systems. After gaining initial access to an asset or network, the attacker begins to authenticate or exploit vulnerabilities in electronically connected assets to execute commands or gain visibility into additional resources. The goal is typically to escalate privileges, access sensitive data, or deploy additional malware to further the threat actor’s nefarious mission.

Representing one of the first phases of a cyberattack, lateral movement is only able to occur after a threat actor has gained an initial foothold within a network or assets. The most common techniques used for the initial breach include identity attack vectors, entitlement misconfigurations, and software vulnerability exploitation.

Unlike the initial breach, which may involve less subtle penetration tactics (like brute force attacks and password sprays), lateral movement is often conducted with great care. To remain undetected, the threat actor will use techniques to blend in with legitimate network traffic and host authentication, authorization, and remote access. The challenge for cybersecurity professionals is to detect and block unwanted lateral movement before the threat actor navigates to the next asset, ultimately creating a path to escalate privilege.

Read on to better understand the nuanced art of detecting unauthorized lateral movement and the cybersecurity best practices for protecting your organization from this growing threat.

Given the sophistication of modern attacks, traditional detection methods are increasingly insufficient. Organizations must consider implementing advanced techniques that leverage artificial intelligence, behavior analysis, and real-time monitoring to detect lateral movement.

1. Identity-Based Behavioral Analytics: This entails establishing baselines of normal behavior for human and non-human identities, and then detecting deviations that might indicate lateral movement. Examples of suspicious behaviors may include an identity that suddenly begins accessing multiple systems in succession, or a machine identity requesting adjacent system access. These types of threats are normally detection via inappropriate authentication requests in a SIEM or an identity threat detection and response (ITDR) solution.

2. Endpoint Detection and Response (EDR): Deploying EDR solutions that monitor and record endpoint activity in real time is crucial for detecting and containing any lateral movement. These tools can detect anomalies, such as unusual process executions, unexpected file modifications, or new network connections, which often indicate lateral movement.

3. Network Traffic Analysis: Using network traffic analysis tools to monitor traffic on the same VLAN or subnet can help identify lateral movement, especially when assets are not in the same physical location, but rather logically connected. By analyzing the flow of data between systems, these tools can detect abnormal traffic patterns and alert on unexpected connections or unusual port usage.

4. Deception Technology: Deception technologies, such as honeypots, decoy systems, or other trojan horse-style tools can lure threat actors into revealing their presence. These technologies are designed to collect as much information as possible from a threat actor during an interaction. Defensive deception technologies can also trigger alerts and allow security teams to respond or stealthily perform monitoring as the attack progresses further.

Typically, a threat actor probes for weak spots looking for an initial entry point. However, rarely is that initial entry point the end goal of the attacker. Once a beachhead is established, a threat actor can try to use it to launch a further attack by compromising adjacent systems.

Lateral movement can entail compromising other assets on the network, applications sharing resources, and even escalating privileges to gain access to far more valuable identities and accounts. Ideally, each phase of the attack chain evades detection to maximize the penetration and monetization of the compromised systems.

To a cyber threat actor, lateral movement means all the difference between compromising a single asset and potentially navigating through an enterprise to establish a persistent presence. While a threat actor might initially succeed in infiltrating an environment via a number of methods, such as an opportunistic phishing attack, or a targeted spray attack based on stolen credentials, lateral movement is the primary vehicle to compromise an entire environment.

Once an environment is breached, threat actors will employ myriad strategies to accomplish lateral movement. The most common lateral movement techniques include:

• Credential Dumping: Extracting and reusing credentials from compromised systems to access other systems within the network.

• Pass-the-Hash (PtH): Utilizing hashed passwords to authenticate without knowing the actual plaintext password.

• Exploitation of Trust Relationships: Leveraging identity-based trust via account relationships to move across network segments, without raising alarms.

• Remote Services: Using legitimate remote desktop services or other remote access tools to move between systems.

• WMI and PowerShell: Utilizing Windows Management Instrumentation (WMI) and PowerShell scripts to execute commands and transfer files across systems as remote commands.

• Vulnerability Exploitation: The exploitation of known or zero-day vulnerabilities within software to execute code remotely or provide information for maintaining a persistent presence.

• Misconfiguration: Simple misconfigurations, or the lack of system hardening, which allow for lateral movement based on applications and services using default credentials, exposed resources, and poor cybersecurity hygiene.

Lateral movement poses detection challenges because it often appears as legitimate network activity. After all, one of the goals for a threat actor is to remain undetected. However, several indicators of compromise (IoC) can suggest inappropriate lateral movement, including:

1. Unusual Authentication Patterns:

• Unexplained logons to systems outside of normal business hours, or from unexpected locations.

• Multiple failed login attempts followed by a successful login, potentially indicating a brute-force attack.

• Logon attempts to systems not typically accessed by the identity.

• Authorization for a command or configuration change without a prior authentication event.

• Privileged authentication attempts without MFA

• Authentication requests for applications and commands not approved for privileged or standard user access, including, ones used in living off the land attacks
  

2. Anomalous Network Traffic:

• A sudden spike in network traffic between systems that do not usually communicate, or using unusual ports.

• Unexpected use of remote access protocols, such as RDP or SMB, especially in unusual patterns or between unexpected systems.
  

3. Anomalous Applications:

• PowerShell scripts or WMI activity on systems, where such activity is uncommon or not authorized.

• Use of system tools in an unusual manner, potentially indicating a living off the land attack.

• Installation of malware using unsigned applications or digital signatures not authorized by the organization
  

4. Privilege Escalation Requests:

• Attempts to access privileged accounts or use of privileged commands from non-administrative accounts.

• Sudden changes in user privileges, or the appearance of new administrative accounts.

• Privileged access without the use of MFA.

• Access to sensitive data and sensitive assets from privileged accounts that should normally not have any interaction with a system.
  

In fairness, this is not an exhaustive list of potential lateral movement detections, but rather the most common examples every organization should be able to detect within their environment.

While detection is crucial, preventing lateral movement is the ultimate goal. This requires a combination of proactive security measures, including network segmentation, least privilege access, and continuous monitoring.

1. Mature Zero Trust Security Controls

Advancing zero trust principles and implementing a zero trust architecture (ZTA) are high-level strategies that, by design, aim to reduce the attack surface and restrict unwanted lateral movement. Zero trust principles also espouse putting controls in place for continuous monitoring and for accelerating detection and response.

Most of the best practices that follow play a key role, and are necessary, for advancing zero trust security.

2. Implement Network Segmentation

Segment your network into distinct zones with strict access controls between them. This limits the attacker's ability to move laterally by isolating the breach within a single network logical segment, or even individual asset.

For example, sensitive data should reside in an isolated network segment accessible only through secure remote access via proprietary technology. Avoid using RDP, SSH, and HTTPS between network zones. When these protocols are required, proxy them through an appropriate gateway technology.

3. Apply Least Privilege

Ensure identities, accounts, users, and machines operate with the minimum privileges necessary to perform their functions. This reduces the blast radius if an account is compromised by limiting potential for authentication and lateral movement into adjacent systems.

Regularly review and right-size privileges and permissions, particularly for administrative accounts, using entitlement and privileged access management (PAM) solutions. As much as is feasible, your least privilege model should strive toward a zero standing privilege (ZSP) state by implementing just-in-time (JIT) access.

In addition, organizations should enforce privilege separation and separation of duties. When applied to users, this involves segmenting user privileges across separate users and accounts, and ensuring certain duties can only be performed with specific accounts. Thus, if one account is compromised, the range of privileges it affords the attacker is restricted in scope.

4. Implement Privileged Accounts and Session Management (PASM)

Secure passwords, keys, and DevOps secrets in a centralized safe and actively managing them according to security best practices. PASM, also called privileged password management, prevents numerous identity-based attacks and account hijacking threats outright, while reducing the effectiveness of others. For instance, implementing one-time passwords (OTPs) for highly privileged accounts will prevent password re-use attacks.

Frequent rotation of credentials, or dynamic generation of secrets, also means the threat window for which an account can be compromised via stolen credentials is time-limited.

PASM solutions should also pair active credential management with real-time privileged session monitoring and management, overlaying threat detection and response capabilities to stop attacks in their tracks.

5. Address Potential Privilege Escalation Paths

A primary goal of threat actors is to elevate low-level accounts (standard users) to privileged accounts (superuser, local administrator, domain administrator, application owner, or root). If the threat actor can elevate privileges, then lateral movement and a complete compromise of the entire environment is possible.

The linkage of a low-level account to a privileged account can be mapped as a privilege escalation pathway. Some environments have explicit escalation paths due to nested groups, domain trusts, and misconfigurations. Unfortunately, many of these pathways are not obvious and require advanced detection capabilities to link accounts based on common identities in order to reveal them. By proactively discovering these hidden paths, organizations can harden identity security posture to reduce risks and attack pathways.

6. Implement Multi-Factor Authentication (MFA)

Enforce MFA for all users – period. If that isn’t possible, at minimum, enforce MFA on all remote access, privileged accounts, and critical systems. By requiring an additional verification step to prove the confidence in an identity, MFA significantly reduces the risk credential theft can lead to lateral movement.

7. Perform Regular Audits and Monitoring

Conduct regular audits of identities. accounts, permissions, and network configurations to identify and mitigate potential software misconfigurations outside of planned vulnerability assessment scans. Continuous monitoring of network activity, combined with real-time alerting, helps detect suspicious activity early.

8. Vulnerability, Configuration, and Patch Management

Keep systems and software up to date with the latest security patches in as timely a manner as physically possible. Various lateral movement techniques commonly exploit known vulnerabilities. Timely patching and configuration management can close these vulnerability gaps.

In addition, consider the recommendation above in these efforts. Monthly vulnerability assessments are a common practice, but what happens in between these scans? Consider staggering assessments, ad-hoc statistical assessments, and real-time scanning to eliminate gaps in monitoring that could otherwise be exploited for lateral movement.

9. Identity Security

Identity security encompasses a broad range of controls for protecting digital identities. Poor identity hygiene and gaps in protection give attackers the footholds they need to land an attack, as well as many pathways to conduct lateral movement. To protect against lateral movement attacks, organizations need to deploy: an identity governance program with good hygiene and runtime, identity directory services, and a strong PAM solution (which includes PASM). In addition, all non-human integrations and privileged accounts should be managed and monitored for potential abuse that can occur during lateral movement.

ITDR capabilities are also becoming essential in modern environments. However, providing holistic identity security visibility across heterogeneous domains and operationalizing identity posture management, threat detection, and response requires strong and broad integrations with PAM and other solutions.

10. Operationalize Effective Incident Response

Develop and role play your incident response playbook to ensure a swift and effective response to detected lateral movement. This includes having predefined playbooks for isolating affected systems, conducting forensic analysis, recommending updates, and restoring normal operations.

Detecting and preventing unauthorized lateral movement is pivotal for any modern cybersecurity strategy. As threat actors become more proficient at evading traditional defenses, organizations must adopt advanced detection techniques to ensure lateral movement after exploitation is rapidly detected and mitigated. Minimizing the dwell time for threat activities is crucial to preventing an all out breach.

By understanding the symptoms of unauthorized lateral movement, deploying intelligent monitoring solutions, addressing privilege escalation paths, and adhering to identity security and vulnerability management best practices, organizations can significantly reduce the likelihood of successful lateral movement by a threat actor.

The BeyondTrust Platform can prevent, detect, and respond to many types of lateral movement attacks, including highly sophisticated multi-step threats. BeyondTrust can significantly boost your organization’s cyber resilience by protecting identities and access, eliminating or securing privileges, addressing Paths to Privilege™, and illuminating and remediating identity-based risks and attacks. Visit BeyondTrust.com to learn more, or contact us today.