Lateral Movement and How to Detect It

You may have heard of the concept of lateral movement within the context of security operations and possess a general idea of how threat actors leverage this tactic to gain access to your data. But what exactly is lateral movement? And how does it impact your organization’s security operations?

What is Lateral Movement?

Let’s start with the definition MITRE ATT&CK™ provides for lateral movement:

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and gaining access to accounts. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Lateral Movement Techniques

The important thing to focus on within MITRE’s definition is that lateral movement is not a single technique, but instead a set of techniques that include advanced persistent threats (APTs) and areas of exploitation used by threat actors to gain access to their intended target.

These techniques highlight the various vulnerabilities and methods used to steal credentials and exploit remote services. You can find the full list of lateral movement techniques and steps for mitigating each technique on MITRE’s website. Examples of lateral movement include:

  • Pass the hash (PtH)
  • Pass the ticket (PtT)
  • Exploitation of remote services
  • Internal spearphishing
  • SSH hijacking
  • Windows admin shares

Detecting Lateral Movement

The key to detecting techniques indicative of lateral movement is realizing that there’s more than one approach to identifying this type of activity. In many cases, it might require a combination of approaches to identify when a threat actor is moving throughout your environment.

While detecting lateral movement within your environment is no simple task, there are multiple methods that can help alert you to suspicious activity related to lateral movement techniques and provide context that supports the investigation process.

By using both real-time monitoring and behavioral analysis, you can immediately identify potentially malicious activity and investigate such activity with contextual evidence. Let’s break down exactly what these two capabilities are to better understand how they work together.

Real-Time Monitoring (Alerting)

Effectively collecting, normalizing, and correlating data across an environment provides real-time alerting that can identify suspicious activity that needs further investigation. By aggregating alerts, this technology can help observe the progression of a threat in real time and view compounding activity that further points to a true threat.

When using real-time monitoring, you can also apply rules that map to the MITRE ATT&CK framework, specifically around lateral movement techniques. Providing rules for all techniques under the framework can ensure that you’re covering all potential areas of exploitation.

Behavioral Analysis (Investigation)

Behavioral analysis provides a unique look at the activity of users and network entities to prioritize and address activity that shows significant deviation from normal behavior.

User and entity behavior analysis (UEBA) solutions use machine learning (ML) to determine both the baseline (normal behavior) of each user and entity and the significance of any activity that deviates from that baseline. Understanding these deviations can provide contextual evidence that supports the investigation into an alert around suspicious activity.

With each method of detection providing a unique perspective and having different resource and timing requirements, it’s important not to depend solely on a single method that may or may not be the right approach for every scenario. Some scenarios may only need real-time alerting to efficiently detect lateral movement techniques while more sophisticated attacks may require both alerting and investigation through behavioral analysis to confidently identify a malicious actor.

Lateral Movement Use Case

Below is an example of a lateral movement attack and detect sequence.

Attacker: Reconnaissance

  • The attacker initiates recon and intel gathering using a combination of tools such as OpenVAS, Nmap, Shodan, etc.

Attacker: Exploit

  • The attacker exploits a vulnerability identified during recon to gain initial access.

Attacker: Credential Theft

  • The attacker uses an internal spearphishing technique to exploit other users within the same organization and gain greater access.

SecOps: Initial Alert

  • Correlation rule triggered immediately due to phishing indicators and alert generated
  • New case created
  • Investigation initiated

Attacker: Privilege Escalation

  • After a successful spearfishing exploit, the attacker attempts to escalate privileges to gain access to the intended target.

SecOps: Additional Alert Triggered

  • An alert is triggered due to privileges being modified.
  • A new alert is added to an existing case.
  • SecOps continues the investigation using behavioral analysis to identify anomalous activity and add context to existing alerts.

Attacker: Data Exfiltration

  • The attacker initiates RDP session to remotely access the targeted server.
  • The attacker views sensitive data on the target server.
  • The attacker begins copying files from the server.

SecOps: Additional Alert Triggered and Response

  • An alert is triggered due to sensitive file access.
  • An alert is triggered due to file copy.
  • New alerts are added to an existing case, which now has sufficient evidence to begin remediation.
  • SecOps initiates automated action to disconnect the user’s RDP session and lock the user out of the server.

Preventing Lateral Movement

Reducing the time it takes your team to detect and respond to lateral movement will lower the chances of a threat actor moving across your network and eventually gaining access to sensitive data. UEBA solutions that integrate security orchestration, automation, and response (SOAR) capabilities can help your team quickly identify all related malicious activity for rapid detection and response.

Watch our on-demand webinar to learn more about the UEBA market and how it can give your team visibility into insider threats here.