Lateral Movement: The Silent Threat and How to Combat It Effectively

In December 2020, one headline dominated cybersecurity news: SolarWinds had been the target of a massive cyberattack. The story began over a year earlier (September 2019) when state-sponsored Russian hackers gained unauthorized access to SolarWinds’ network and inserted malicious code into SolarWinds’ Orion software. In February 2020, SolarWinds released the infected software as an update, unwittingly distributing the backdoor malware to its customers.

Ten months later, one client, cybersecurity firm FireEye, discovered the malware in its systems. As other organizations began looking for the newly discovered threat, investigations revealed that the state-sponsored threat actors had penetrated the networks of thousands of SolarWinds’ clients.

The incident is a reminder of the dangers of supply chain attacks, but SolarWinds’ clients also experienced another harsh lesson – the dangers of lateral movement. Once in other businesses’ infrastructure, the cybercriminals used lateral movement techniques to navigate those networks, identify valuable targets, and exfiltrate data. The financial fallout was fierce, costing SolarWinds $40 million and their clients an average of 11% of their annual revenue.

The Anatomy of a Lateral Movement Attack

Lateral movement has one simple but devastating goal – continuously elevating privileges and reaching more sensitive data. This process unfolds like this:

  • Initial Breach and Entry Point: An attacker gains access to the network through phishing, exploiting a vulnerability, or compromising an endpoint.
  • Reconnaissance Phase: They map the infrastructure, identifying potential paths for further movement.
  • Credential Harvesting and Privilege Escalation: Attackers steal credentials or exploit other vulnerabilities to gain higher levels of access within the environment.
  • Movement Across the Network: Once inside, they use elevated access to move laterally and reach high-value systems and data.

Common Techniques Used in Lateral Movement

The tactic a bad actor uses to move laterally often depends on factors such as the target organization’s tools, infrastructure, and segmentation, the hacker’s skillset and tools, the goals of the attack, the desire to evade detection, or time constraints. In many cases, they will adapt their approach throughout the attack lifecycle. Here are some of the techniques they tend to favor:

Remote Desktop Protocol (RDP) Abuse: Attackers exploit unsecured RDP connections to gain unauthorized access to systems. This method was used in the infamous 2017 WannaCry ransomware incident.

Pass-the-Hash Attacks: Threat actors reuse stolen NTLM hashes to authenticate themselves without needing to crack plaintext passwords. This tactic was used in the 2013 Target data breach that exposed 40 million users’ credit and debit card accounts.

Use of Legitimate Admin Tools: Hackers exploit the tools IT teams and system admins use to legitimately manage, monitor, and secure IT environments, such as RMM tools, penetration testing tools, or PowerShell. In 2021, cybercriminals deployed ransomware to over 1000 organizations through Kaseya VSA, an RMM solution.

Exploitation of Vulnerabilities in Internal Systems: Cybercriminals often target unpatched systems or applications to move laterally. This was how Equifax was breached in 2017.

Challenges in Detecting Lateral Movement

Detecting lateral movement is notoriously difficult for security teams for several reasons:

Speed of Lateral Movement: Attackers can move quickly across networks, making it nearly impossible to keep up with their activities.

Mimics Normal Network Traffic: Lateral movement often looks like routine administrative tasks or user activity, making it hard to distinguish from legitimate behavior.

Evades Traditional Security Controls: Firewalls, intrusion detection systems (IDS), and antivirus software may struggle to detect stealthy attacks.

Difficulties Monitoring Login Activity across a network: Traditional log management solutions often lack the scale and speed needed to track lateral movement effectively.

Rise of Hybrid and Remote Work: The shift to remote work has expanded attack surfaces and made it more challenging to monitor network activity.

The only way to overcome these challenges is to replace traditional security approaches and solutions with more modern ones designed to adapt to the evolving threats organizations face today. But, with such a crowded marketplace, which solutions enable teams to detect lateral movement and mitigate an attack?

How a Modern SOC Combats Lateral Movement

A modern Security Operations Center (SOC) powered by advanced technologies and managed by expert analysts can be invaluable when defending against lateral movement. The range of strategies and skills offered by a comprehensive SOC include:

Continuous Monitoring and Threat Detection: A SOC provides 24/7 real-time monitoring of an organization’s infrastructure, utilizing AI-powered anomaly detection to identify suspicious behavior immediately, filter out false positives effectively, and escalate more severe threats for analysts to address.

Network Segmentation and Access Control: Implementing segmentation strategies and Zero Trust Architecture (ZTA) and Identity and Access Management (IAM) policies within a SOC provides a proactive edge; the constant verification, granular access controls, and isolation strategies all contribute to making lateral movement much more difficult and detectable.

Threat Intelligence Integration: Leveraging up-to-date threat feeds helps SOC analysts stay informed about emerging lateral movement techniques and proactively hunt for threats within the network.

Incident Response and Containment: A well-equipped SOC has rapid triage capabilities and can employ automated responses such as isolating systems to prevent further damage while allowing security teams to assess more sophisticated threats quickly.

Enhanced Defense: Combining a SOC with an MDR and SDL

While a SOC provides essential SecOps capabilities, a SOC that includes a Managed Detection and Response (MDR) solution with a built-in Security Data Lake (SDL) is one of the most powerful cybersecurity solutions available. This integrated approach enhances a SOC’s ability to correlate events across systems and networks, significantly increases threat detection and response times, and provides extensive predictive capabilities and unparalleled visibility – all of which are especially relevant as companies face increasingly sophisticated attacks.

An AI-powered MDR with an SDL continuously ingests, analyzes, and stores vast amounts of security and non-security-related data from every company log source. That enables SecOps teams to have more comprehensive visibility and a better understanding of a company’s security posture, but that alone won’t help them identify the early signs of an attack.

The ML models working in these solutions are crucial as they excel at recognizing normal behaviors across an organization’s infrastructure and learning from past attacks. As the models analyze real-time data and events and compare those with historical information, they filter out false positives and reveal subtle patterns and anomalies indicative of a threat actor’s lateral movements, such as small data transfers.

If a threat is identified, incident response (IR) teams swoop in and focus on immediate containment and isolation of threats, stopping the attacker from further movement. Digital Forensics and Incident Response (DFIR) teams then act, using the SDL for retrospective analysis and deeper investigations. They use the insights gained to reconstruct attack paths and build a complete attack story which is crucial for understanding the full scope of the attack, mitigating the aftermath, and preventing future attacks.

Stopping Lateral Movement with Integrated Solutions

Given that the threat landscape is akin to a moving target, most organizations should reevaluate and update their cybersecurity defenses. The challenges posed by identifying lateral movement early on require nothing less. There are two choices: piecing together disparate solutions from various suppliers or selecting one comprehensive solution that includes all aspects needed to address modern security issues.

The first option has a real risk; solutions from multiple vendors may not be optimized to work together, leaving gaps that threat actors can exploit. However, a single-supplier fully integrated solution that combines an AI/ML-powered SOC, MDR, and SDL will enhance threat detection capabilities and significantly reduce the repercussions of cyberattacks. The consequences of failing to detect lateral movement early on can be severe – extended dwell times, data exfiltration, and widespread system compromise can result in financial losses, reputational damage, and compliance violations. Instead of taking a risk and hoping for the best, invest in a comprehensive security solution; it’s essential for survival.

Sign Up for Updates