June 6, 2022
How to detect, prevent & stop network lateral movement
What is Lateral Movement?
The growing appetite of threat actors has coincided with the constant evolution and innovation of their tools and techniques. Many of today’s cyber-attacks are no longer simplistic attacks in which attackers unleash the final malware payload at the point of entry. These victims, typically PCs of ordinary users, are too limited in scope to satisfy the ambitious objectives of attackers. Adversaries are after high-value assets such as sensitive data, high privilege users, critical systems and servers, databases, and source codes, which promise a handsome profit or allow them to cause costly business disruption. To achieve these goals, attackers must expand their reach in the compromised environment.
Lateral movement refers to the stage in which attackers employ various techniques to pivot from their point of entry and navigate deeper through the network in search of high-value assets.
Lateral Movement in the Cyber Kill Chain
Lateral movement forms part of a multi-stage attack process that is often depicted in a cyber kill chain, a model that maps the typical stages of a cyber-attack. Different versions of the cyber kill chain exist but lateral movement features in most of them, reflecting its prominence in modern-day attacks. Before propagating through the network, adversaries must complete several stages to form a solid base to expand their attack.
Internal Reconnaissance: After the initial breach, attackers leverage custom-loaded tools or legitimate system tools to scout the environment to figure out the location of high-value assets and plan the path of attack.
Privilege Escalation: After gaining initial access, attackers require elevated permissions to perform any subsequent actions. Common ways of obtaining higher privileges include taking advantage of system weaknesses, misconfigurations, and vulnerabilities.
Credential Access: Attackers steal credentials like account names and passwords to gain access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
Why Lateral Movement Matters
Various research indicates that lateral movement occurs in between 60-70% of cyber-attacks. Once inside a network, attackers maintain their presence and move from system to system for a period that could span weeks and months. In these protracted attacks, also known as Advance Persistence Threats (APT), attackers spend up to 80% of the attack in the lateral movement stage before reaching their end goal. Detecting lateral movement early would go a long way toward foiling an attack and preventing serious damage inflicted on the organization.
Lateral Movement Techniques in Prominent Cyber-Attacks
Lateral movement is a tactic in the MITRE ATT&CK (Adversary tactics, techniques, and common knowledge) Framework, with nine associated techniques. These techniques have been leveraged to impressive effect in many high-profile cyber-attacks, demonstrating their decisiveness to the success of an attack.
Exploitation of Remote Services
Attackers exploit critical vulnerabilities in widely used Windows remote services, including SMB, RDP, Netlogon, and Print Spooler. Highly effective exploit tools have been developed to take advantage of these vulnerabilities, such as EternalBlue and EternalRomance, tools developed by the US National Security Agency (NSA). These tools have been leveraged to devastating effect in several high-profile malware campaigns, notably the WannaCry ransomware, Emotet, and NotPeyta.
Attackers compromise an internal user’s email account to deliver malware to other users in the organization. The Syrian Electronic Army (SEA) previously launched an attack on the Financial Times (FT). Once FT discovered the attack, its IT department sent emails to warn employees of the threat. The SEA subsequently launched a highly deceptive spear-phishing attack by mimicking these warning emails to compromise even more users.
Lateral Tool Transfer
Attackers transfer tools or malicious files between systems using native file-sharing tools and protocols such as SMB/Windows Admin Shares, FTP, cmd, and PsExec or authenticated connections via RDP. The threat actor DarkSide leveraged PsExec and RDP for lateral movement in its ransomware attack on the Colonial Pipeline, an attack that led to widespread fuel shortage and a significant spike in fuel prices.
Remote Service Session Hijacking
Attackers hijack preexisting sessions of remote services, such as telnet, SSH, and RDP, to carry out actions on remote systems. The WannaCry ransomware attack launched by North-Korean threat actor Lazarus infected around 230,000 globally, including Telefonica and the NHS. WannaCry used the taskse.exe trojan to enumerate Remote Desktop Protocol (RDP) sessions and execute the malware on each session.
Replication Through Removable Media
Attackers copy malware onto removable media or modify its existing executable files. Running the malware or modified executable file on a remote system grants the attacker access to that system. In early 2022, the FBI warned that the Russian APT group FIN7 had sent US companies malicious USB drives in an attempt to hack into their systems.
Software Deployment Tools
Attackers gain access to third-party software suites installed within an enterprise network, allowing the attacker to execute remote code on all remote systems that run the software. In one attack, Vietnam’s APT32 (aka OceanLotus) compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task, which resulted in all connected systems pulling the malware from the ePO server.
Taint Shared Content
Attackers compile malicious programs, scripts, or exploit code to files stored on network drives or other shared locations. Once a user opens a shared tainted file, the malicious portion is executed on the remote system, allowing the attackers to move laterally. In one attack, the threat actor Gamaredon injected malicious macros into all Word and Excel documents on mapped network drives.
Use Alternate Authentication Material
Attackers steal alternate authentication material such as password hashes and Kerberos tickets using tools such as Mimikatz. These Pass the Hash (PtH) and Pass the Ticket (PtT) techniques allow attackers can bypass system access controls without knowing the plaintext credentials. The Russian-linked Conti ransomware gang deployed Mimikatz to gain authorized access in the high-profile attack on Ireland’s public health system and, more recently, KP Snacks.
Detect and Block Lateral Movement
With lateral movement techniques so varied and so sophisticated, defending against them is no straightforward task. So how exactly do you detect lateral movement?
Most organizations have some form of security solution or a combination of solutions in place to protect their network and systems, such as a firewall, IDPS, SIEM, and EDR. While these solutions contribute to the prevention and detection of lateral movement, they do not address the substance of lateral movement and may not be sufficient.
Where Other Solutions Fall Short
Firewalls are designed to monitor and control traffic entering and leaving a network (north-south traffic) rather than traffic within the network (east-west traffic). Therefore, they are not equipped with the capabilities to detect and block lateral movement.
IDPS: Intrusion Detection and Prevention Systems
Are similar to network firewalls in that they lack network-level detection capabilities and primarily rely on signature-based detection of known malware, which lateral movement may not involve.
SIEM: Security Information and Event Management
Is a security solution that performs real-time analysis of log files to detect suspicious behavior. However, not everything generates logs, especially the stealthy techniques that attackers use to conduct lateral movement.
EDR: Endpoint Detection and Response
Is a security solution that detects and responds to malware and malicious activity on an endpoint. While adversaries generally launch their attacks from endpoints, the services and tools used are often legitimate, allowing them to evade EDR detection. Additionally, attackers have the means to detect EDR software running on an endpoint and disable it. Neither do EDR solutions protect unmanaged devices and IoT devices, which are increasingly prevalent in modern enterprise networks.
Stop Lateral Movement Using NDR
The missing piece of the security jigsaw is Network Detection and Response (NDR).
NDR is a security solution that performs real-time monitoring and analysis of network-wide traffic (east-west and north-south) to detect and respond to malware and behavioral-based malicious activity in the network. Given that lateral movement takes place at the network level, where better to detect it than the network itself?
How NDR Detects and Responds to Lateral Movement
NDR collects and normalizes raw network traffic in real time and extracts traffic metadata to a central location for machine analytics.
A fundamental technology that underpins NDR is machine learning (ML). To detect malicious network activity, ML builds and dynamically optimizes baseline models of normal network activity for users, files, applications, endpoints, devices, and servers across the environment. Models for adversary tactics, techniques, and procedures are also incorporated to detect known attack patterns and behavior.
Metadata pulled from network traffic is analyzed with AI-powered behavioral and statistical analytics to identify anomalous activity. Behavioral analytics cross-references historical and real-time data to correlate seemingly unsuspicious events. Through behavioral analytics, NDR identifies signals showing user actions that break from patterns, like location or naming conventions, and looks at activity, apps, and accessed files to identify threats.
NDR is not only able to detect potential threats but can provide complete visibility of threat history, that is, the timeline of malicious activity covering the whole cyber kill chain. In this case, security teams can answer a broad range of questions when responding to an incident. For example, they can answer: What did the asset or account do before the alert? What did it do after the alert? When did the situation start to escalate? In this way, NDR greatly empowers security teams with the knowledge for fast response and remediation.
NDR can be integrated with other cyber security solutions to initiate automated responses through SOAR (Security Orchestration, Automation, and Response). For example, once preconfigured SOAR playbooks are triggered, NDR can communicate with the network firewall to block IP addresses that are deemed malicious or instruct EDR to block and kill certain services, processes, and ports that show signs of malicious activity.
Combining NDR with Lateral Movement Prevention Best Practices
Several best practices can help organizations prevent or mitigate lateral movement in the network. These measures are not foolproof, but they can be implemented to make it more difficult for the attackers and further enhance NDR’s effectiveness.
Network segmentation involves dividing up a network into two or more segments to control access between different segments. Segments can be set up for critical business systems with limited access permissions. This makes it harder for adversaries to reach and breach these segments. In the case of NDR, baseline models can be built for each network segment to optimize NDR’s learning of normal network activity, resulting in more accurate detection of anomalous behavior and minimizing the number of false positives.
Disable Unused Services/Features
Disable services and features that can be leveraged by attackers for lateral movement, such as SMB, RDP, and admin shares, if they are not used. This can be achieved using unified endpoint management software for greater efficiency and targeted implementation. If NDR and EDR pick up the activity of these services after they have been disabled, there is a strong indication of malicious activity.