Lateral movement is one of the stages of an attack on a company in which an intruder, having already penetrated and gained a foothold in the corporate infrastructure, moves through the network from the point of entry (for example, a compromised device or account) to other objects.
We can think of a computer network as a series of tiers: the internet is on one level, and the corporate network is on another. To penetrate the company’s infrastructure, an attacker attempts to switch from the internet level to the corporate network level; that is, to move vertically. And because systems connected to the corporate network are on the same level, going from one to another the attacker moves laterally.
An example of lateral movement would be a cybercriminal attempting to gain access to a company’s servers after hacking an employee’s account. This term is most often used in the context of targeted attacks, although some families of mass-distributed malware can also move laterally across a network.
Lateral movement techniques
Once inside a network, an attacker has several options for further lateral movement:
- To gain access to target databases and network resources under the guise of a compromised system user with the requisite privileges.
- To send phishing e-mails in the name of the owner of the same compromised computer with a view to hacking accounts of users with higher privileges.
- To scan the internal network environment for unprotected objects (open ports, applications with known vulnerabilities, devices with default passwords), and to exploit any that are found.
- To deploy malware for stealing passwords and secret keys stored on the compromised machine.
Countering lateral movement
By operating inside a company’s network, an attacker benefits from being invisible to security tools designed to protect against external threats. However, lateral movement is atypical behavior for an internal user, which makes it possible to detect such malicious activity.
Measures to counter attacks involving lateral movement through the network include the following:
- Listing allowed applications
- Tight control over access rights
- Strict password protection and authentication policies
- UBA and UEBA behavioral analysis technologies
- Endpoint Detection & Response (EDR)-class solutions
- Network traffic analysis (NTA)
- Specialized tools for combating insider threats