Cyber Security

A common mistake of a company is not knowing the types of Cyber attackers and underestimating them until it leads to huge losses caused by the issue. Knowing some tactics attackers use is necessary to prevent this from happening in your company. Assailants pose numerous threats to individuals, businesses, and governments. These threats range from financial fraud to data breaches and national security risks. So, are you already familiar with lateral movement? 

What is Lateral Movement?

Lateral movement is the process of cyberattacks spreading their attacks through entry points or initial access and spreading to the rest of the network to find vulnerabilities and their targets. Instead of attacking a single system, lateral movement moves sideways across connected devices, leading to more profound and sensitive information. Therefore, one of these cyberattack tactics can significantly impact a data system and is very risky. The hackers adopt the movement in many ways, such as spreading malware (malicious software) to your system data. Malware can be worms and viruses that aim to get sensitive data, crash your system, or sabotage someone. 

How Does Lateral Movement Happen?

Lateral movement occurs in real-world cyber attacks when attackers navigate through compromised networks to elevate privileges, access sensitive control data, or use ransomware. Moreover, lateral movement happened when an attacker gains initial access to a system and then moves through the network to access more systems, escalate privileges, and eventually reach high-value targets like databases, financial systems, or admin accounts.

Lateral Movement Techniques

Internal spear phishing

This internal attack usually targets individuals or groups in organisations by hacking the company’s email network. So, cybercriminals impersonate an internal employee, executive, or trusted colleague to trick another employee into revealing sensitive information and credentials or executing fraudulent actions. By using the email of an employee of an organisation, especially if the employee has a high position, such as IT or HRD staff, the attackers have many advantages in investigating essential data that is confidential for a company.

Therefore, spear phishing is one of the lateral movement tactics that need to be prevented because it is closely related to privilege escalation, a technique of cyberattack that allows unauthorised access.

Pass the hash (PtH) attacks

Another technique is a Pass-the-Hash (PtH) attack, a cyberattack where the attacker steals the hashed password instead of the plaintext password and uses it to authenticate the system without cracking it. The assailants employ encryption to gain the password hash, which grants them access to the information system. Once authenticated, the attacker can easily sneak into the organisation’s network system, leading to the theft of information or data branches.

To prevent PtH attacks, you should use Enforce Multi-Factor Authentication (MFA) because even if the password is stolen, additional verification will prevent access. In addition, you should change passwords to make your system more secure.

Pass the ticket (PtT) attacks

Pass-the-ticket ( PtT) is quite similar to Pass-the-Hash (PtH) because they aim to gain access to your organisation without a password. However, PtT used a Kerberos ticket instead of a mashed password. It can be used to replay the stolen ticket to gain unauthorised access. Moreover, Kerberos tickets remain valid for hours or days, allowing attackers to move across networks undetected. You need to monitor your system more often to prevent PtT from happening in your organisation, especially for unusual logins from your website.

Remote services exploitation

By utilising a user or employee, an attacker can access remote services to gain access to a company’s sensitive resources, which is a hacker’s primary goal. Remote system services exploitation occurs when attackers abuse legitimate remote access tools (such as RDP, SMB, and VNC) to infiltrate and control a system’s remote administration. Using this technique, an attacker can gain the remote control of a user until the domain controller establishes a persistent backdoor as a trusted authorised. Therefore, the form of this technique is similar to identity theft. 

Secure Shell (SSH) hijacking

SSH hijacking occurs when an attacker gains unauthorised control over a Secure Shell (SSH) session to take over a remote server. With SSH tools, users can access macOS and Linux systems, which will lead to infecting other systems in an organisation. Thus, an attacker can inject malicious commands if a legitimate SSH session is active. One example of Secure Shell Hijacking is attackers logging in remotely without a password, installing malicious scripts, and stealing SSH keys to access company servers.

Windows admin shares

Windows admin shares allow remote administrative access to Windows systems. Attackers abuse these shares to move laterally in a network. So, the administrator could share that allows the administration to manage the networks, and hackers could take the chance to spread infection to other computers. To prevent this attack, the administrator must turn off the share if it is unnecessary. They also need to monitor remote access for unauthorised share access attempts. If the coordinator can regularly check the system, it will reduce hackers’ opportunity to do Windows coordinator shares. 

What Types of Attacks Use Lateral Movement?

Ransomware

Ransomware is malware (malicious software) that attacks the victim’s system by locking access and asking for a fee to profit from the victim. The threat actor says that data in the organisation can be permanently lost, so these attacks are very detrimental. If ransomware gets into your system, then all systems cannot be logged in or used, and only the attacker can access them. An organisation must understand how this malware works to avoid these attacks. For example, ransomware uses asymmetric encryption inside the network and uses a public key to encrypt the files. 

Data exfiltration

Data exfiltration is done through social engineering, malware, or hacking to steal confidential or sensitive information. Many things can be stolen with this type of data extraction attack, such as the identity of a user’s personnel, intellectual property from an organisation, transferring data and holding the data to threaten an organisation by paying the attacker to retrieve the data. Data exfiltration is done in various ways, such as hacking, viruses, and social engineering, to steal intellectual property.

Espionage

One of these cyberattacks is dangerous because it is undetectable and could have been in the system for a long time. It is because an attacker chooses to enter silently and look for sensitive information buried in a system and then steal it. Therefore, usually, organisations or agencies that are prone to espionage are government organisations and the military because they store a lot of sensitive information that is very confidential.

Botnet infection

A botnet is a network of infected computers controlled by a hacker. The hacker is known as the “botmaster”, and the purpose of the network is to perform large-scale digital assaults. The owner of the infected computers is usually unaware that their machines are being used this way. Usually, this type of attack is meant for long-term ambition hacking, so it took a long time to crash your system finally. They created a botnet, a network of computers that can launch a massive attack. Moreover, the goals of this attack are cryptojacking, scams, phishing, and many more.  

What Are The Stages Of Lateral Movement?

 Infection

This stage is where the attacker establishes access to the victim’s system. They use various tactics to exploit vulnerabilities or deceive users into running malicious code. The standard techniques the attacker uses are data fishing, using a link and spreading it all over the user to gain access from that link, virus injection to install malicious code, or infiltrating third-party vendors to enter the target’s system by using supply chain attacks.

Compromise

After infection, a compromise could establish continuous access to the system. Once inside, the attacker ensures they don’t get locked out. They create backdoors and maintain access if the initial infection is detected and removed. It will likely communicate back to the hacker’s command and control server, a C2 or C&C server, to indicate that it is ready to receive commands. 

Reconnaissance

Getting into your organisation’s initial network is not the initial goal of a cyber attacker. With reconnaissance, they will observe what is in the network system and look for valuable things that might be in the most challenging barrier within the network. At this stage, reconnaissance can understand the system’s hierarchy and identify connected devices, services and security policies. 

Credential theft

In the last stage, the hacker will go to the credential dump stage and escalate privileges by stealing higher-level credentials. To get to the most profound network of your system, hackers need to get authorised access, such as passwords in as many devices as possible, authentication tokens, or session cookies. Therefore, standard techniques are keylogging to steal passwords and passing hash attacks using stolen password hashes without cracking them to gain initial access.

Detecting lateral movement

Map lateral movement paths (LMPs)

Mapping Lateral Movement Paths (LMPs) refers to identifying unusual network traffic and analysing and visualising the possible routes attackers can take within a network after gaining initial access. This helps security teams understand how threats can spread, allowing them to improve defences and reduce attack risks.

Leverage reporting tools

Leveraging reporting tools means using data analytics, dashboards, and reports to track, analyse, and visualise key metrics for better decision-making. These tools help businesses and security teams understand trends, detect anomalies, and improve efficiency.

Investigate and analyse user behavior

Investigating and analysing user behavior refers to monitoring, detecting, and analysing user actions within a system or network to identify suspicious, anomalous, or potentially malicious activities. This is critical for threat detection, insider threat prevention, fraud detection, and security compliance.

Monitor unknown devices

Unknown devices can be a threat to an organisation because it is likely that it is a cyberattacker who aims to dig up information to steal your information. Therefore, checking devices regularly is necessary to keep them safe.

Investigate abnormal administrative tasks and file sharing

By knowing abnormal administrative tasks and file sharing, you know who is responsible for it and prevent unauthorised access from entering the system. A user must also be careful to provide access to the sharing of organisational files.

Monitor logins, especially on devices using multiple credentials

It is also essential to know who logs in to the devices used in an organisation. It would be better to provide zero trust to prevent outsiders from trying to log in to the system if possible.

Identify port scans and abnormal network protocols

In network security, port scans and abnormal network protocols are key indicators of cyber threats, including reconnaissance by attackers, spyware infections, and data exfiltration. Understanding and detecting these activities can help prevent unauthorised access and lateral movement within a network.

Preventing lateral movement

Install software updates and system patches regularly

Lateral movement relies on attackers exploiting systems, applications, or network protocol vulnerabilities to gain unauthorised access and move across an organisation’s infrastructure. Keeping software and systems up-to-date for enterprise users can significantly reduce the risk of lateral movement attacks by eliminating known security flaws. In addition, hackers will usually attack data systems that are old and rarely updated because it makes it easier for them to gain access to these systems. However, by checking regularly, especially when installing software that benefits a user, hackers will find it difficult to penetrate the system.

Update endpoint security solutions

Endpoint security offers solutions to make your devices more secure by using special tools such as detectors or antivirus software to protect you from unauthorised access. The many types of viruses that break out everywhere on mobile devices and other devices have made us more aware and pay more attention to protecting our devices. 

Enforce the principle of least privilege (PoLP)

The Principle of Least Privilege (PoLP) is a cybersecurity best practice where users, applications, and systems are given the minimum level of access required to perform their tasks and nothing more. Enforcing PoLP reduces the risk of insider threats, data breaches, and spyware attacks.

Use multi-factor authentication (MFA)

Multi-factor authentication means giving you double protection by using more than one form of verification. So, the system can only recognise you because you have performed various security verification steps, making it difficult for malware to enter your software. 

Implement network segmentation

Network segmentation divides a network into smaller, isolated segments to restrict unauthorised access, improve security, and prevent intruders from moving freely within a system. It helps contain threats like ransomware and insider threats.

Backup critical data

Having data means having a lot of critical confidential data that must be kept confidential, especially regarding company or organisation data. If you do not have a strong guard against data, many threats will occur, such as data theft, or even data can be eliminated by an aggressor. Therefore, it is imperative to back up critical data regularly to keep your system and data safe. Having secure data will also maintain the continuity and sustainability of your organisation and be more reliable.

Implement zero-trust security

Zero trust security is essential for companies with sensitive and private data, such as health organisations or the government. This system is complicated for a hacker to penetrate because zero trust cannot easily trust the user accessing a system. Zero trust checks repeatedly to test whether the user has access and does not give access to people who cannot pass the security. With zero trust security, your data information will likely be protected and safe from cybersecurity.

Conclusion

Lateral movement is a serious cyber threat that allows the aggressor to infiltrate deeper into a network, increasing their attack impact. Preventing lateral movement requires a multi-layered security strategy, including installing software updates and system patches regularly, updating endpoint security solutions, enforcing the principle of least privilege (PoLP), using multi-factor authentication (MFA), implementing network segmentation, backing up critical data and adopting Zero Trust principles. Organisations can proactively secure networks to reduce the risk of widespread cyberattack damage.