Lateral movement refers to the techniques that a cyber attacker uses. Once getting access to a corporate network, the attackers don’t stop there. They move around throughout the entire network, owning more computers and user accounts while exfiltrating data at the same time. They escalate their privileges to gain access to higher permissions and eventually access more confidential, critical and sensitive data.
While gaining an initial foothold into an enterprise network is the most critical and demanding stage of the entire cyber attack chain, post-exploitation techniques are also crucial to ensure the completion of the attack advance tasks. Initial foothold would blind an attacker’s view due to limited privileges and access around the system/network.
In this blog post we’ll discuss one of the critical post-exploitation techniques during a penetration testing or red teaming exercise, i.e. Lateral Movement.
In the MITRE ATT&CK Framework, Lateral Movement is listed as an Enterprise Tactic bearing the ID TA0008.
What is lateral movement in cyber security?
According to the MITRE ATT&CK Framework,
“The adversary is trying to move through your environment.
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.”
In short, lateral movement consists of techniques and strategies that allow attackers to move around in the network, access network resources and data, and achieve their goals and objectives. Lateral movement is sometimes also known as Horizontal Privilege Escalation.
Lateral movement and the cyber kill chain
Every cyber attack or incident falls within the cyber kill chain. Lateral movement is an important key in the kill chain. Lateral movement falls in the post-exploitation section which comes in the Command and Control section of the kill chain.
In short, an adversary cannot perform his actions on objectives without moving laterally in the network.
Anatomy of lateral movements
Let’s break down a cyber attack into its phases and understand how threat actors move laterally in the network.
Lateral movements can be divided into three phases, further divided into techniques and procedures used to attack the network. The entire anatomy of the attack is given below:
Reconnaissance (or internal reconnaissance)
Once an attacker gets an initial foothold in the target network, they set out to carry out an extensive internal reconnaissance activity to see what other hosts, and users are present on the network and what type of services and network resources are being shared.
Exploitation, credential dumping and privilege escalation
After a thorough enumeration, the attacker exploits system misconfigurations, dumping credentials for various users, computer and service accounts, and escalating privileges horizontally (and vertically).
After an attacker has a handful of login credentials and exploited system misconfigurations, they gain access to another host on the network, another user in the system or network and, therefore, move through a network laterally.
What causes lateral movement?
Server and operating system security misconfigurations are usually responsible for lateral movement attacks. While configuring servers, system administrators sometimes assign insecure permissions to files, leave sensitive data and files containing credentials in publicly accessible directories, or, most of the time, fail to implement the Principle of Least Privileges for running applications, services, network resources and managing new and existing users.
Lateral movement techniques
While the MITRE ATT&CK Framework lists all the possible publicly known lateral movement techniques, some of the most commonly used techniques are mentioned below:
Threat actors use tools such as Mimikatz, pwdump etc. to extract user credentials from the lsass process running in the memory. These credentials may include service tickets, and hashed and/or cleartext passwords.
Pass the hash
This technique allows an attacker to authenticate as other users without requiring their passwords. This technique bypasses the need to brute-force the hash for a valid plain text password.
Adversaries may also use “Overpass the Hash” attack which allows an attacker to pass the hash and authenticate as a valid user and then use the same hash to create a valid Kerberos ticket, which can then be used to perform a Pass the Ticket attack.
Pass the ticket
Kerberos is the default authentication protocol used by Microsoft Active Directory, and runs by default on the UDP port 88.
Adversaries may steal or create forged Kerberos tickets which they can then use to authenticate into Microsoft Active Directory as any user, computer or service account and get initial access to additional network resources and data that are being managed by Active Directory.
It is important to know the types of Kerberos tickets that can be used to perform the attack:
Service ticket (ST): Service tickets allow gaining access to a particular service in the network
Ticket granting ticket (TGT): TGT allows users to request service tickets for any service or service account in the entire domain joined environment.
Silver ticket: Silver tickets are created by attackers to use with the Kerberos Authentication Protocol to generate new service tickets, which they can use to authenticate and gain access to additional resources and systems hosting those services.
Golden ticket: A golden ticket is obtained from the Key Distribution Centre within Kerberos, which can be used to generate a TGT and authenticate as any user, system or service account in the entire network, provided that the resource and/or system is domain-joined.
Application access tokens
Attackers may dump access tokens or keys that various applications or services use to authenticate. Attackers, after getting such tokens, may attempt to authenticate as that particular user and remotely manage that application or service.
This type of attack is most commonly found in a cloud environment, particularly in cloud-based applications and Software-as-a-Service (SaaS).
Attackers may hijack sessions of currently logged-in users and issue commands and control systems while impersonating a particular user. One such use-case is found most commonly in Linux operating systems, where users use tmux or screen as an alternative to the bourne-again-shell (bash) or shell (sh).
Threat actors may attach to user sessions running on tmux and screen and remotely control their systems.
Adversaries may use Windows Remote Management (WinRM) to authenticate into valid accounts and interact with machines remotely using WinRM. The attacker can then issue commands as the logged-on user.
WinRM can be used to run an executable, modify registry values, modify services etc. and can be initialised using the winrm command or using PowerShell.
Virtual network computing (VNC), remote desktop protocol (RDP), secure shell (SSH)
Threat actors, after dumping credentials, may use VNC, RDP and/or SSH to login as a valid user and access additional resources and data in the network, or control systems as per their objectives.
Exploitation of remote applications and services
Publicly known vulnerabilities in running applications and misconfigured services running as other users are a juicy target for an adversary. Such vulnerabilities are relatively easier to exploit and offer the threat actors a complete control of the target system.
Sometimes attackers discover machines that are only on the internal network and are not allowed access remotely or are behind firewalls. In this scenario, adversaries utilise pivoting techniques to be able to interact with internal machines and also get past firewall restrictions.
How to detect lateral movement?
Detection and response to lateral movement can be extremely difficult. For instance, an attacker logging in to a valid user account via SSH or RDP would be interpreted as a legitimate activity. It requires a combination of multiple approaches to detect lateral movement activities.
Real-time monitoring combined with behavioural analysis is possibly the only way to detect lateral movement.
For example, detecting that a credential dumping activity was performed and then an account log-on was detected is a sign of an adversary moving laterally.
Similarly, two sessions of the same user might indicate that an attacker is trying to hijack the session of a legitimate user, so on and so forth.
How can lateral movement be blocked?
While detecting lateral movement is a challenging task, preventing lateral movement is comparatively less challenging. To prevent lateral movement, it is important to understand how adversaries move laterally within an environment. Adversaries might use a number of methods to move laterally, including passing through weakly defended network segments, using valid credentials to access remote systems, or exploiting vulnerabilities to gain unauthorised access.
10 steps to prevent lateral movement in data breaches
Some of the practices that can be utilised to prevent lateral movement are:
1. Principle of least privileges
Implementing the Principle of Least Privileges is the primary defense for protecting high value assets and accounts. Users should not be given higher or administrative privileges if they do not have the need for such privileges.
2. Multi-factor authentication
Using multi-factor authentication is the best practice for securing accounts, because if the attacker somehow gets the credential of a valid user, computer or service account he would still have to figure out a way to bypass MFA, otherwise he wouldn’t be able to log in.
3. Password management
Strong and complex passwords offer protection against dictionary attacks. Implement string and complex password policies and enforce the use of password managers to generate randomized passwords.
Implement the use of Microsoft LAPS in a domain joined environment to protect against Pass the Hash attacks.
Any network resource or application requested by the user should be logged and monitored. If the user has no need of that resource or application, they should not have access to it. Users should be given access to only those applications and services required to complete their daily tasks and jobs.
5. Strong end-point detection and response solution
Having a strong EDR solution helps in detecting and protecting lateral movement by identifying and preventing any unusual activity. Monitor closely for techniques and procedures that may resemble an APT and configure EDR rules by the MITRE ATT&CK Framework.
Keep the servers and systems clean. Do not leave sensitive data and files with cleartext credentials in files, source codes and publicly accessible directories. Also, ensure no sensitive and confidential information and credentials are shared in emails.
7. Network segregation
Segregate your network and keep high value assets in isolation. Define and implement proper and strong ACLs. Divide your entire network and make sure that systems that have no need to communicate with each other are kept at a distance and strong firewall policies are implemented to prevent sharing of data and network communication between such systems.
8. Using honeypots
Consider using honeypots to lure the attacker into a trap from where you might detect an incident or a data breach and identify lateral movements or exfiltration of data.
9. Patches and updates
Constantly update and patch your operating system and installed applications to fix publicly known security issues. Use a patch management solution to automatically push updates and patches to all the systems in the network automatically.
10. Develop and implement a zero-trust architecture
A zero-trust architecture is the only protective method against lateral movement and escalation activities. Network segmentation, principle of least privileges, multi-factor authentication, strong and complex password policies, effective password and patch management etc. are the factors that contribute to building and implementing a Zero Trust security model.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.