Lateral movement explained: How hackers navigate networks undetected

Lateral movement is a tactic in cyberattacks that allows hackers to navigate through a network undetected after gaining initial access. This stealthy maneuvering enables attackers to locate valuable assets and data, maintain persistent control, and avoid detection.

Lateral movement is particularly significant in advanced persistent threats (APTs), where attackers aim to remain hidden within a network for extended periods. APTs are often state-sponsored or highly organized cybercriminal operations targeting sensitive and high-value information.

Understanding lateral movement

Lateral movement refers to the techniques and strategies cyber attackers use to move within a network after gaining initial access. This phase allows attackers to explore the network, identify critical systems, and gain access to sensitive data and assets. Unlike a direct attack, lateral movement involves subtle and stealthy maneuvers, helping attackers maintain a low profile and avoid detection for extended periods.

Lifecycle of a lateral movement

Lateral movement fits within the broader context of the Cyber Kill Chain developed by Lockheed Martin to detail the steps that an attacker must go through to achieve a breach:

• Initial compromise: The attacker gains network entry through phishing, exploiting vulnerabilities, or using stolen credentials.
• Establishing foothold: The attacker installs malware or backdoors to maintain access to the compromised system.
• Privilege escalation: The attacker seeks higher-level access privileges to gain more control and access within the network.
• Reconnaissance: The attacker gathers information about the network, such as identifying key systems, user accounts, and security measures.
• Lateral movement: The attacker moves laterally through the network, accessing additional systems and expanding their reach.
• Data exfiltration: The attacker locates and extracts valuable data or deploys additional malicious activities.
• Maintaining persistence: The attacker establishes methods to maintain access and persist within the network, even if some intrusion points are discovered.
• Covering tracks: The attacker removes evidence of their presence to avoid detection and investigation.

Techniques used in lateral movement

Lateral movement involves methods that attackers use to infiltrate and manage remote systems within a network. These methods exploit default credentials, known user accounts, and vulnerable services. Attackers may also take advantage of devices and systems that are connected to both IT and OT networks, often referred to as dual-homed devices.

• Credential harvesting and privilege escalation: Attackers often begin by harvesting credentials, such as passwords and tokens, through phishing or malware. Once they obtain these credentials, they use privilege escalation techniques to gain higher levels of access within the network, allowing them to control more systems and data.
• Exploiting trust relationships between systems: Hackers exploit trust relationships between systems to move laterally. By leveraging already trusted connections, such as those between different servers or network devices, attackers can navigate the network without triggering security alerts.
• Using legitimate tools to blend in: To avoid detection, attackers frequently use legitimate administrative tools like Remote Desktop Protocol (RDP), PsExec, and PowerShell. These tools are typically used by IT professionals for network management, making their use by attackers less suspicious and harder to detect. By blending in with normal network activities, attackers can move laterally more stealthily.

Examples of lateral movement in real-world attacks

• SolarWinds Attack (2020): The SolarWinds attack is one of the most significant cyberattacks in recent history. Attackers compromised the SolarWinds Orion software updates, which were then distributed to thousands of customers, including government agencies and Fortune 500 companies. Once installed, the backdoor, known as SUNBURST, allowed attackers to conduct extensive reconnaissance and move laterally within the network using secondary payloads like Raindrop. This lateral movement enabled them to access sensitive data and maintain persistence within the network.
• WannaCry Ransomware Attack (2017): The WannaCry ransomware attack spread rapidly across the globe, affecting over 200,000 computers in more than 150 countries. The ransomware exploited a vulnerability in the SMB protocol of Microsoft Windows, known as EternalBlue. Once a machine was infected, WannaCry used lateral movement techniques to propagate within the network, encrypting data and demanding ransom payments for decryption. 

Signs of lateral movement in a network

Signs of lateral movement in a network include unusual access patterns, such as unexpected or irregular login activities from unusual locations or at odd times; sudden privilege changes, where user privileges are elevated without explanation, and unusual data transfers between systems, particularly high-volume transfers or access patterns that deviate from typical usage. Monitoring these indicators can help detect and prevent unauthorized lateral movement within a network.

How to prevent lateral movement

Cybersecurity experts advise adhering to the 1-10-60 rule – detect an intrusion within 1 minute, investigate within 10 minutes, and isolate or remediate the problem within 60 minutes.

• Update your endpoint security solution
  • Upgrade technology: Employ next-gen antivirus and behavioral analysis capabilities.
  • Comprehensive protection: Implement both intrusion prevention technology and Endpoint Detection and Response (EDR) to automatically detect suspicious activity.
  • Unified solution: Use a single agent that provides both prevention and detection functionalities like Security Information and Event Management (SIEM) systems.
    
    
• Proactively hunt for advanced threats
  • Expert monitoring: Ensure real experts proactively monitor the environment to avoid alert fatigue.
  • Detect anomalies: Focus on unusual activities and minimize false positives.
  • Prioritize alerts: Address the most critical alerts immediately and consider boosting internal teams with solutions that offer expert threat hunting.
    
    
• Maintain proper IT hygiene
  • Patch management: Address outdated or unpatched systems and software by applying updates across all endpoints.
  • Vulnerability elimination: Recognize and mitigate exploits that can remain hidden before activation.
    
    

FAQs

What are dual-homed devices?

Dual-homed devices are networked devices equipped with two network interfaces, providing redundancy and reliability. If one connection fails, the device automatically switches to the backup connection, ensuring continuous network availability

What are IT and OT networks?

IT (Information Technology) networks manage data and applications, while OT (Operational Technology) networks control physical processes and machinery in industrial settings. IT focuses on data security, whereas OT prioritizes operational safety and reliability.

What is network reconnaissance? 

Network reconnaissance is gathering information about a network to identify vulnerabilities.