Lateral movement is a technique that adversaries use, after compromising an endpoint, to extend access to other hosts or applications in an organization. Lateral movement helps an adversary maintain persistence in the network and move closer to valuable assets. It can also allow adversaries to gain control of an administrator’s machine and the privileges and data associated with it.
An attacker’s main goal is to access valuable or sensitive information and stealthily exfiltrate or destroy it – while remaining undetected for as long as possible. After the initial compromise, the attacker will learn the network topology, steal credentials, and move laterally by accessing more systems and sensitive data.
Because attackers want to stay beneath the radar, they often avoid known malware and exploits that will trigger signature-based intrusion alarms. Instead, they will attempt to steal or guess passwords and then login to remote machines or escalate privileges. Oftentimes, they “live off the land,” using benign processes and tools already installed on a host system to further their attacks. For example, they may use PowerShell, Windows Management Instrumentation (WMI), and PsExec, to perform network discovery and lateral movement. Living off the land (LOL) attacks are often referred to as fileless attacks because attackers do not use traditional malware files. Malware can also be used in this attack technique. However, when malicious actors carry out more advanced threats, they often rely on admin tools and other “non-malware” to expand their reach while avoiding discovery.
Successfully orchestrating a targeted attack requires planning and persistence. A well-resourced attacker can usually find a way to infiltrate a targeted organization, even if that means first targeting an individual off-network via his or her personal accounts. But the initial exploit is just the beginning. Then the threat actor must map out the organization’s network, move laterally to other devices, gain access to desired servers or data, and then either steal, manipulate, destroy, or hold hostage those desired resources.
According to the MITRE ATT&CK framework:
"Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool."
Lateral movement is hard, if not impossible, for prevention controls to block automatically. Early detection is an essential strategy to shut down lateral movement. The longer time it takes to detect it, the more damage is done, resulting in far greater investigation and recovery costs.
Even if organizations collect the necessary data needed to uncover lateral movement, the traditional problem is properly using it. Tools like Security Incident and Event Management (SIEM) can normalize and correlate data, but they are better suited at detecting clear cyber attacks. They are as well suited at profiling activity over or accurately detecting anomalies associated with lateral movement. As a result, their correlation rules raise too many alerts, and most of these alerts ultimately get ignored by SecOps teams.
Behavioral analytics is the easiest way to find lateral movement attacks. The first step is to collect and stitch together key data, including network, endpoint, cloud and identity data. Using behavioral analytics and machine learning, security tools can profile user and device activity to identify administrators, standard users, endpoints, and servers. Analytics can also identify which users are associated with which applications and devices. Based on this information, security tools can detect a normal user acting like an administrator, or an administration whose credentials have been misused for unexpected administrative access.
Threat actors may also compromise hosts by installing malicious code on network file shares or manipulating computer logon scripts. Cybersecurity teams can detect these techniques by looking for credential abuse and excessive failed logins. If multiple devices share the same credentials or if a single device logs in to network resources from distinct accounts in a short period of time, an attack may be in progress. If a normal user exhibits administrative behavior, such as managing remote machines, the user’s machine might be compromised.
XDR platforms are uniquely designed to quickly and accurately identify attackers as they move through the compromised network. XDR solutions ingest the broadest amount of data—including network, endpoint, cloud, and identity data—and build profiles of user and device behavior. Then they detect active attackers based on the behavioral anomalies that adversary activity, by necessity, introduces no matter what phase of the attack they are engaged in.
XDR solutions monitor internal network traffic and endpoint events and profile the normal patterns of internal, host-to-host, communication, application usage, file share usage, credential usage, administrative behavior, executable and process prevalence, and more. They also can detect common credential theft tools like Mimikatz and hacking techniques like "pass-the-hash."
XDR solutions identify attackers as they perform “East-West” reconnaissance and lateral movement by detecting anomalies in connectivity patterns, port and protocol usage, app usage, file share usage, credential usage and logon failure, and more. These anomalies are associated with the originating endpoint process. XDR solutions uses behavioral detection and threat intelligence to classify the process as known or unknown malware, riskware, or a legitimate application. They also monitor user activity, such as user login events, understand where users are typically located in the world, what applications they typically access, what devices they own, and many more dimensions of behavior to accurately pinpoint threats.
Cortex XDR, the industry's first XDR platform, includes an Identity Analytics module to detect lateral movement and identity-based attacks. Identity Analytics reveals advanced attackers, malicious insiders, and risky behavior by profiling user activity and detecting anomalies indicative of attack.
Identity Analytics provides a 360-degree user view of every user, including a user risk score letting analysts compare each user’s risk with other users and see the trend for a specific user over time. From the alert investigation view, analysts can drill-down into more details about the user, such as domain, department, Active Directory groups, recent logins and more.
Cortex XDR also analyzes network events to find internal network-based threats, including lateral movement, using network detection and response (NDR) capabilities.