What is Lateral Movement?

Lateral movement is a well-known tactic of cyber threats, primarily APT, used to spread within a network. Attackers start from the initially compromised IT system and move on from there. The goal is usually data exfiltration or reaching a specific IT system (e.g., Domain Controller).

Why is Lateral Movement so dangerous?

Lateral Movement as a technique can extend over days or months and remain undetected. Attackers - especially professional hackers - are very careful and proceed very thoughtfully. They often expand their control over data and systems very slowly - the top priority is not to be detected. The data traffic is often disguised as regular network traffic. If the spread is not stopped, it can lead to massive damage - both financially and in terms of the company's reputation. Recovering from an attack of this kind is anything but easy - often entire IT systems have to be rebuilt for security reasons. This costs time, money, and nerves - it also ties up a considerable portion of IT resources.

The fact that our IT systems are becoming increasingly complex - and thus harder to control and monitor - makes it easier for attackers.

How do hackers proceed with Lateral Movement?

The initial compromise of an IT system is the starting point. The reasons for a successful attack are diverse - phishing emails, 0days or unpatched systems can be reasons. Once hackers have control of the first system and, if necessary, expanded their rights, internal reconnaissance of the network follows. Potential targets (database servers, domain controllers, ...) are scouted. Simple internal commands can be used for this (netstat, ping, ...) or special tools are installed (Port scanners, tools for analyzing the ARP cache). Subsequently, various techniques are used to reach targets.

What techniques do hackers use for Lateral Movement?

Which technique is specifically used depends heavily on the situation of the attacker and the target. Here are some examples:

1. Target is an outdated server/PC:
   A known security vulnerability is exploited to access the system.
2. Keylogging:
   Attacker installs a keylogger on a system to intercept passwords and other sensitive data.
3. Pass-the-Hash/Pass-the-Ticket:
   Both are very special techniques that allow logging into other systems using hashes or tickets in the context of Kerberos. No password is needed for this.
4. Mimikatz:
   The classic: The attacker reads passwords and hashes from the current system's RAM to potentially use them further.
5. Privilege Escalation:
   Often, compromised users don't have the necessary rights to access the target system. Here, attempts are made to expand the rights.
6. Internal Tools:
   If an attacker needs to install special tools, the risk of detection increases significantly. Therefore, attempts are often made to use internal tools - these are system tools that are pre-installed and used for legitimate purposes.
7. Software Manipulation:
   Professional attackers know how to manipulate software solutions, such as antivirus software, EDR/XDR, to remain undetected.

When is a network particularly vulnerable to Lateral Movement?

A network is particularly vulnerable to Lateral Movement when there is insufficient network segmentation. If staff is allowed to use passwords frequently and repeatedly, the network is also more vulnerable. Often, you also see that too many people have too high privileges - the classic example is the HR lady who is also a Domain Admin (because she needs to install the printer sometimes). Systems where nobody takes care of internal security are also easy prey for attackers. This includes not only applying updates and patches but also regularly conducting penetration tests. Another point is the lack of network monitoring for suspicious activities and network flows.

How can Lateral Movement be made more difficult?

1. Network segmentation / Zero Trust architecture with micro-segmentation
2. Penetration tests in the internal network / Red Teaming
3. Antivirus software on all endpoints
4. Implementation of good (!) XDR/EDR solutions and SIEM for monitoring
5. IAM: Use of 2FA/MFA for every service and relevant login

How to detect attackers in the network?

To detect attackers in the network, software solutions that collect appropriate data and personnel capable of interpreting this data are needed. SIEM systems store network events - a user logging into various services within a very short time should trigger an alarm. EDR/XDR solutions are capable of detecting suspicious activities on endpoints. This includes executing PowerShell scripts, installing software, deleting log files. Network traffic should also be monitored - data exfiltration via DNS or HTTP is a popular means of stealing data.