Cyber Security – ‘Lateral Movement’
This guide is designed to introduce you to the cyber security subject of Lateral Movement, and show some of the common cyber security methods used to tackle it.
What is Lateral Movement (LM)?
LM refers to how attackers navigate a network (after gaining an initial foothold) to move from one system to another. Attackers use LM to expand a foothold in the network to access valuable data or systems, and is achieved by performing internal reconnaissance to understand the network layout, compromising additional systems, escalating privileges to maintain persistence, and using stolen credentials to gain further access. The goal of LM maybe to steal data or simply disrupt.
LM can be best described in the following stages:
It’s important to understand that lateral movement is performed once the bad guys are already in your network – regardless of whether a system has internet access or not. While having strong boundary protection is great cyber security, you’ll need great internal cyber security to tackle LM.
How do the bad guys get into the network?
Attackers have a variety of methods available to them to gain access to a network. Here are some common techniques:
- Exploiting vulnerabilities: Weaknesses in systems and applications can be exploited to gain a foothold.
- Social engineering: Arguably one of the most common methods, attackers may trick users into giving up network credentials or clicking malicious links through phishing emails, phone calls, or other deceptive tactics.
- Malware: Attackers can deploy malware that infects devices, often through unsuspecting users. This malware can steal credentials and create backdoors for remote access.
- Password spraying/credential stuffing: Attackers may attempt to log in to multiple accounts with common passwords or leaked credentials in hopes of gaining access.
- Zero-day attacks: Attackers may exploit vulnerabilities in software before a patch is available, giving them a significant advantage.
So what can we do to fight LM?
- Look after your credentials: Protect all credentials. This includes strong password policies, secure storage (avoiding plain text or easily cracked hashes), and hardware-backed solutions where available. Work credentials should only be used on approved devices to ensure proper supported security measures are in place.
- Strong authentication is key: Implement multi-factor authentication (MFA) to add an extra layer of security beyond passwords. Alternative methods like biometrics or hardware tokens can further tighten your defences.
- Protect your admin accounts: Avoid granting broad access with single accounts. Strictly control local and domain admin accounts due to their extensive reach and access. Enforce separate accounts for daily tasks and admin duties, ideally on dedicated admin devices. Restrict privileged accounts from web browsing and email and enforce with MFA at every opportunity.
- Principle of least privilege wins: Only grant users and accounts the minimum access needed for their roles. This can be achieved through tiered admin accounts, where each tier has specific, limited access levels. This reduces the overall number of high-privilege accounts and minimises potential damage if a lower-level credential is compromised. Avoid using full-privilege accounts for everyday tasks, and consider time-based access for additional security.
- Network segmentation: Compartmentalise your network into isolated segments, and segregate networks as sets: identify, group and isolate critical business systems and apply appropriate network security controls to them. This makes it much harder for attackers to reach their ultimate target even if they gain initial access, because they’ll be stuck in one segment without a way to reach critical systems or data in others.
- Network monitoring: Network monitoring is crucial for detecting breaches after an attacker gains access. By recording and analysing logs from firewalls, operating systems, and other network devices, you can identify suspicious activity that might indicate an attacker’s presence. Focus your monitoring on high-value assets like domain controllers, privileged users, and sensitive accounts. Maintain a complete and updated network inventory to recognize unauthorised devices. Unusual activity can occur on both network protocols and within applications, so be mindful of lateral movement tactics where attackers mimic legitimate traffic. The biggest challenge is filtering out false positives from genuine threats, so understanding your network’s usual activity and segmenting your network can significantly improve your ability to identify real security incidents.
- Taste the honey: Consider deploying honeypots to act as decoys to lure attackers away from real systems. Production Honeypots placed within your network can expose attempted intrusions, while Research Honeypots gather intel on attacker tactics. However deploy with honeypots with extreme caution and only implement honeypots if you have the expertise to manage them effectively.