by Sunil Kotagiri, Co-Founder of Seceon
Organizations are learning the hard way that preventative controls will never be 100% perfect and that they must have strong, real-time threat detection solutions to defend against today’s strategic attacks. One of the most potent techniques employed by these targeted attacks is reconnaissance or lateral movement: when attacks progressively spread through a network as they search for valuable assets and data. Quickly and reliably detecting lateral movement is one of the most important skills security professional must possess.
In many ways, the lateral movement attack phase represents the biggest difference between today’s attacks and the simplistic commodity threats of the past. Let’s take a deeper look at lateral movement and how to use this information in your daily security practice.
Understanding Lateral Movement
Today’s enterprise security teams are inundated with security events. It’s easy to burn through your day chasing down whitelist and prohibitive policy violations, investigating anomalies, or analyzing an executable reported by AV software or by a firewall that turns out to be adware.
However, a possible lateral movement indicator in your security events should be treated with the highest priority because it is a clear indication of a threat that is attempting to extend its reach into the enterprise.
In most cases, attackers must move from device to device and gain access privileges to get to the sensitive and valuable data inside your enterprise. In addition to digging deeper into your assets, lateral movement gives attackers strategic points of control in a compromised environment.
These additional positions allow attackers to maintain persistence if they are discovered on an initially compromised host. This makes lateral movement highly strategic to an attacker…
Is it All Doom & Gloom for Defenders??
While lateral movement is strategic to attackers, there are discernible advantages for defenders as well. For example, lateral movement is one of the kill-chain phases in which attackers do not control both ends of the connection. When attackers control both ends of a communication, such as with command-and-control or exfiltration traffic, they have an incredible amount of flexibility and multiple ways to hide their traffic.
However, lateral movement puts attackers in a more traditional position of having an attacking node and a target. This one-sided approach forces attackers to reveal themselves, and provides a great opportunity for security analysts to detect the threat.
Of course, this requires security teams to look in the right places and for the right information. Reconnaissance may involve straightforward attacks where cybercriminals scan for vulnerable hosts to exploit. Furthermore, attackers can pivot between compromised hosts to bounce deeper into the enterprise. This process of performing internal reconnaissance and passing information to subsequent hosts is often a clear indicator of lateral movement.
Security Skills at Play
When thinking of intrusions and Advanced Persistent Threats (APTs), it is easy to focus on malware. Nonetheless, as attacks become more advanced, they almost always contain a strong human element. This is especially true in the case of lateral movement.
The behavior of an external person controlling internal devices is something that network traffic behavior analysis tools can quickly recognize, and this behavior tied to any sort of internal reconnaissance or suspicious behavior should be an immediate red flag.
Additionally, lateral movement actions favor stealing or reusing a valid user’s credentials over spreading malware. Needless to say, impersonating a valid user gives attackers a quieter and more clandestine way to spread through a network than directly exploiting multiple machines.
As a result, it’s critically important for security professionals to build up and baseline the user identity and network intelligence that can recognize the signs when credentials are abused or abnormally used or when machines are exploited.
Can Artificial Intelligence Come to Rescue?
As described earlier, lateral movement forces the attackers to reveal themselves and positions well-prepared defenders in advantageous positions. Security solutions that offer East-West network visibility by ingesting network flows are a tremendous asset for security professionals. Additionally, solutions that offer end-to-end account login, credential abuse, resource/file access activity visibility are vital to identifying attacker reconnaissance.
With the advent of Artificial Intelligence (AI) and Machine Learning (ML), modern security solutions with User and Entity Behavioral Analytics (UEBA) capabilities can help defenders detect lateral movement easily by baselining the normal behavior of hosts and users and alerting security teams when an abnormal behavior is identified. These solutions free defenders from having to manually comb through the network and user activity logs for lateral movement, helping them focus on the most important security incidents.
Lateral movement will continue to be of strategic importance to the overall success of attacks. And as attackers get better at low-and-slow intrusions, their lateral movement skills will evolve and improve over time.
Make sure your security toolkit includes reliable ways to detect these malicious techniques so you can identify the highest-risk threats and create ample opportunities to disrupt attacks before your assets are damaged or stolen.
Thank you to Sunil Kotagiri, Co-Founder of Seceon for his time and expertise!
Latest posts by Ben Canner (see all)
- Revisiting Whether SOAR Will Replace SIEM in Business Cybersecurity - May 29, 2020
- Changing SIEM From Reactive to Proactive with Threat Hunting - May 27, 2020
- Top-Down SIEM: An Interview with Avi Chesla of Empow - May 21, 2020