Tips for Detecting and Preventing Lateral Movement
Tips for Detecting and Preventing Lateral Movement
When a threat actor gains a foothold on a compromised system or user account in your network, there is still time to detect and respond to their actions. Hackers employ lateral movement techniques to pivot across systems and accounts, extend and maintain their access in your network, and, ultimately, achieve their objectives.
Adversaries often leave traces of lateral movement activity. If you know how and where to look, being compromised doesn’t have to automatically mean having your data stolen or your systems locked down and held for ransom. This article offers some pointers to help you better detect and prevent lateral movement.
What Lateral Movement Techniques Do Hackers Use?
Hackers have a substantial armory of lateral movement techniques to use during cyber attacks—here are some of the most common.
Pass the Hash
“Pass the Hash” (PtH) is a hacking technique that allows an attacker to authenticate to a system or service using the hash of a user’s password rather than the plaintext version. PtH bypasses the need to know the actual password by using various tools to extract the hash values associated with user passwords from common, often unprotected storage locations.
The attacker then uses the hash values to authenticate as valid users on other systems on the network. Lateral movement occurs by sending the hash to the target machine's Server Message Block (SMB) protocol, which assumes that the hash has come from a legitimate source, such as the initial login process. If the user associated with the hash has sufficient privileges, the threat actor expands their access. Repeating this process helps adversaries gain further access until they eventually exfiltrate sensitive data or otherwise achieve the objective of the attack.
Internal Spear Phishing
Internal spear phishing is a method of lateral movement that depends more on psychological manipulation than technical skills. After gaining access to a user’s system or account, hackers perform reconnaissance to understand the organizational structure, communication patterns, and roles of various employees.
Armed with this understanding, the intruder crafts convincing spear phishing emails. These targeted emails come from the compromised user’s internal email account and are designed to trick the recipient into taking some action that enables lateral movement. For example, the recipient might unknowingly install keylogging malware, reveal sensitive information, or even grant additional permissions to the attacker.
Network Session Hijacking
Insecure network protocols that allow remote administration of computing devices could lead to further lateral movement. Authentication credentials may traverse the network using the insecure protocol, which can be seen in plain text like a telnet login session. Also, the threat actor could potentially take over an existing session and inject commands with the permissions of the user on the remote system.
Exploiting Vulnerabilities
Software vulnerabilities often get discussed in the context of an initial access vector for cyber attacks. However, taking advantage of known or zero-day vulnerabilities in software, firmware, or hardware within a compromised network is also a useful lateral movement technique for spreading influence across multiple systems.
Once inside your network, the attacker scans it to identify systems and services that might be vulnerable to known exploits. Tools like SoftPerfect Network Scanner or BLUETORCH could be used to help with searching for vulnerabilities. The intruder might also look for signs of outdated software, misconfigured systems, local privilege escalation vulnerabilities, or unpatched systems that could be susceptible to exploitation. Successful exploitation often grants the attacker various permissions, including the ability to execute code, escalate privileges, or gain unauthorized access to data or services.
Other Techniques
Other frequently deployed lateral movement techniques include:
Mapping out and browsing the hidden network shares created by the Windows operating system that allow system administrators to remotely access a computer's files
Seizing control of systems using remote desktop protocol exploitations
Using a Windows administrative tool such as PSExec or WMI to run commands on remote systems
Lateral Movement Detection Tips
The challenges in detecting lateral movement are two-fold:
Many businesses focus on keeping the bad guys out. Cybersecurity budgets, tools, and personnel focus more on bolstering security at the perimeter of networks. This is despite the fact that many cyber attacks include lateral movement phases. One recent analysis found 44.7% of network intrusions included a lateral movement event.
High volumes of network data make it difficult to distinguish between legitimate and malicious activities. Exemplifying the challenge is a recent survey of IT security professionals that reported up to 20% of security alerts they receive are false positives that suggest a threat or intrusion when there is none.
That said, here are some tips that will help your organization better detect lateral movement and respond faster to cyber intrusions.
Limit Remote Access
Restrict remote access to systems when possible to specific workstations. For example, if SSH is only required from specific hosts then limit those to the IPs of the admins or developers that need access. If remote Powershell commands are allowed, consider restricting access over HTTPS and from specific workstations using certificates and network access controls.
Monitor Privileged Accounts Closely
Keep a close eye on administrative accounts, their behavior, and access patterns. Establish baselines of normal activity so that you can spot deviations from the norm. If an attacker compromises one of these accounts, they can easily steal data or lock down systems. Immediately investigate any unexpected or unusual activity on privileged accounts and view it as a warning sign of advanced lateral movement.
Conduct Threat Hunting Exercises
Proactive threat hunting involves actively searching for, isolating, and mitigating cyber threats that automated security solutions don’t detect. Expert threat hunters use a deep understanding of cybersecurity and individual IT networks, including their normal behaviors and anomalies, to identify hard-to-spot indicators of malicious activity. They also correlate and analyze data from security alerts and tools like Security Information and Event Management (SIEM) systems. They can search for suspicious API calls or known attack signatures in running software or files at rest.
Leverage AI/Machine Learning Capabilities
For some time before generative language models like ChatGPT captured the public imagination, AI and machine learning have been empowering cybersecurity teams with stronger defenses. Platforms like user and entity behavior analytics (UEBA) use machine learning algorithms and statistical methods to understand normal behavior and detect significant deviations.
Technologies like UEBA could help identify compromised accounts being used for lateral movement. But also note that UEBA is not limited to users; it also tracks deviations from the norm for servers, endpoint devices, and applications.
Watch Out for Network Scanners
While tools like Nmap that map out ports and network traffic have legitimate uses, attackers often rely on them to gain a better understanding of the environment they’ve infiltrated and then pivot to other systems. Network scanners generate a significant amount of traffic as they probe different parts of the network.
Scanning activity can be flagged as anomalous by Intrusion Detection Systems (IDS) especially if it occurs at unexpected times or is particularly intensive. Multiple port connections or connection attempts from a single source or to a single destination are also indicators of potentially nefarious scanning activity.
Log Analysis
Many types of lateral movement activities have unique authentication IDs that are generated in logging systems. Log analysis can be performed in real- or near real-time to search for well-known logon types that are indicative of lateral movement. Tools such as PSEXEC leave a noticeable trace in the logs so real-time alerting must be employed to capture the well-known attack tools.
Repeated failed logins are also a sign of an attack about to occur or has occurred and that the attackers are moving laterally, depending on which computer system(s) are being targeted.
Lateral Movement Prevention Tips
Preventing lateral movement in the first place is the ideal scenario. Here are some pointers to improve prevention:
Network segmentation—Dividing your network into smaller, isolated segments can block off pathways for lateral movement. Give each network segment its own access controls and security policies to prevent hackers from accessing sensitive data, even if they've compromised another part of the network.
Protect password hashes—Protect password hashes using whatever method works for you. For example, use Kerberos for authentication rather than NTLM to avoid storing password hashes on local machines. Another method is to use solutions like Windows Defender Credential Guard.
Principle of least privilege—The principle states that you should give users and systems only the minimum levels of access necessary to perform their tasks. By implementing this principle, fewer users have access to sensitive data, and threat actors struggle to exploit high-level permissions.
User training and awareness—Training and awareness programs that incorporate social engineering can help users spot the signs of phishing attacks, even if they seem to come internally from trusted users. These signs include urgent calls to action and exploiting curiosity.
Simulated attacks—Simulated attack exercises can help you uncover vulnerabilities you didn’t know about and hidden lateral movement paths. Particularly useful are red team vs blue team exercises where offensive security experts try to exploit vulnerabilities, bypass security controls, and move laterally through the network while the blue team defends.
Combat Lateral Movement with FlexRange™ Programs
Cloud Range’s FlexRange™ Programs provide security teams with a series of realistic live-fire attack scenarios that reflect real-world cyber attacks. The flexible, frequency-based subscription of simulated exercises is for customers who want an ongoing and consistent training program for their teams to ensure preparedness for the most complex cyber attacks.
In a dynamic cyber range like Cloud Range’s, attacks start with the demilitarized zone as an initial foothold and then, in many cases, leverage lateral movement. The various exercises, led by Certified Expert Attackmasters™ and mapped to the MITRE ATT&CK Framework, will help your security team dramatically improve in detecting and responding to lateral movement. Exercise scenarios can be facilitated as either a single mission or an ongoing simulated attack program.