Lateral movement is one of the key reasons cyberattacks have become significantly more damaging over the last few years. Yet few organizations are aware of how this technique is being used by cybercriminals. In this piece, I’ll explain the concept behind lateral movement, and provide some tips on how organizations can protect against it.
About the author
Damien Benazet is Technical Account Management Director at Tanium.
Lateral movement technique has been key to the success of many high-profile attacks, including the WannaCry and NotPetya malware variants that struck organizations worldwide in 2017. Nearly all cyberattacks involve a form of lateral movement, a tactic which sees attackers installing ransomware on as many computers as possible, or searching for any valuable data on the corporate network, such as credit card information stored on servers
In some attacks, lateral movement is a slow, cautious and stealthy process managed by a remote human fraudster. In other attacks, it’s a lightning-fast traversal of endpoints automated by malware that takes advantage of lax administrative permissions or unpatched vulnerabilities. The main principle of lateral movement is to gain access privileges on a target’s computer. Within most organizations, there are typically a few main types of profile, each holding different access rights. Typically, guest profiles have access to a limited number of applications, user profiles are authorized the use of their individual workstation, and administrator profiles have a full set of rights: use, installation, modification and deletion of applications and settings.
Once a hacker has managed to access to a machine on the company network, their goal is to find connection identifiers – also known as credentials – that will give them superior rights in order to perform more malicious operations. The first step in this ‘lateral movement’ is often to use a small spyware called a “credential dumper,” which collects the other credentials present on the machine. It will then check if one of the recovered credentials has more important access rights than those already in its possession.
These login credentials are often stored in the computer’s cache as soon as someone has authenticated it, with a method that deposits these credentials on the computer. These login credentials correspond to other profiles, for example an IT employee who may have come in to solve a problem a few days earlier. The second step consists of repeating this operation and using these credentials to gain access to other machines, such as laptops or servers. The goal is to collect even more credentials with more privileges, to gradually expand across the network environment and gain more power – and doing as much damage as possible
A simple technique
Lateral movement is a very popular approach for hackers as it does not require huge amounts of resources or a need to have significant access from the start. All a hacker needs to do is gain access to one machine, then escalate privileges by exploring the neighboring ones.
The goal is to take control of as many machines as possible, with the highest permissible privileges, to have a network of computers and servers ready to launch an attack, or that would render the group unable to react once infected. For hackers, it’s much easier to set up than a network attack, mostly because it comes in the form of a surface approach that is often largely underestimated by IT management departments who have limited visibility.
How to reduce lateral movement paths
Fortunately, there are simple ways for organizations to protect their network from the lateral movement technique. The first step is to ensure that administrator delegations are properly managed across all workstations. Secondly, IT teams should close the Server Message Block (SMB), a network protocol that enables users to communicate with remote computers and servers, across all endpoints. If open, the SMB this can allow a machine to explore the network and search for other devices to infect.
A final measure is to set up authentication using a temporary random password for the local administrator profile, or by requiring multifactor authentication. With this strategy, the attacker will not be able to reuse a stored password since it can only be used once – making it more difficult for cybercriminals to use credentials to move laterally to other resources on the network.
IT departments often lack visibility into all the machines that are connected to their network. This lack of visibility can prevent security departments from knowing which credentials are on which machines. With more accurate endpoint visibility, IT departments would be able to see which sessions are still cached on computers and servers. This means that when any indication of compromised endpoints are spotted, all pertinent data can be collected and quickly sent to security teams for analysis and response.
Considering the success of recent malware, such as the recent attack on Ireland’s healthcare system, organizations need to act swiftly to implement these safety measures. In doing so, they will be better prepared and able to prevent cybercriminals from taking control of their network using the lateral movement technique.