Detect, block, mitigate. This is the mantra of every team focused on information security. Overall, preventing network resources from being compromised by malware is one of the primary goals in security plans.
But that’s the vision of the defense team. To increase the security of your environment, it is important to also think like an attacker.
What is the purpose of a cybercriminal?
When a system is infected, the intentions of the victim and the attacker are different (of course!). The victim’s focus is to contain the threat that has infected an asset or system, mitigating its effects. With this, they intend to immediately avoid the most critical consequences for the business – for example data leakage, unavailability of systems, loss of productivity etc.
However, the attacker’s goal may not be as short-term as you might expect. While all of the effects above are within the scope of most attacks, remaining invisible or creating paths to return to a network may be even more valuable to cybercriminals.
What is network lateral movement?
Contrary to what is dreamt of in your philosophy, the first function of a malware is not to compromise the system, but to establish contact with external servers. This happens by creating connections with the attacker.
Through the connection to the external server, the attacker can send new malicious loads and additional instructions to the malware that he controls remotely.
Of course, by being successful, the attacker will strive to remain invisible in the private network. They can achieve this by creating backdoors and also spreading to other devices within the same network. The paths of malware within the network are known as network lateral movements.
Why does an attacker need to move within a network?
This is easy to answer. The more the malicious application performs scanning actions on behalf of an external server, the greater the chances of exploiting sensitive data, stealing privileged credentials or simply spying on the actions of users in that environment.
Spreading through new devices increases the chances of identifying privileged traffics and accessing network segments where the really relevant information will be protected.
5 common tactics of lateral movement
- Credential Theft – This is the goal of any lateral movement. Passwords that give access to private systems or tokens stored in memory allow attackers to undertake trusted profiles to create new paths within the network, search, exploit assets and data of great relevance. Because they are under valid credentials, identifying a malicious activity is a great challenge.
All lateral movement techniques rely on credentials. Therefore, securing access privileges is the primary focus of the security team. An important tip is to carefully study the requests and behaviors of users from traffic reports – offered by the network firewall or IPS. Nonstandard activities may be indicative of malicious activity.
- Remote Management – The ability to interact with any device connected on a network without being noticed is a great advantage to any attack.
Therefore, a common technique of lateral movement is to explore the legitimate applications of the system in conjunction with the administration credentials.
Psexec is one such example. It is a legitimate application on Windows operating system that allows remote administration of network-connected terminals.
It is not in any blacklist of applications and since it works on the command line, no user is alerted of its operation. Therefore, it is a favourite of attackers, that can upload, execute and interact with devices from a remote host.
- Powershell – This is a Windows configuration management framework, another frequent weapon among cybercriminals’ choices. Some advantages it offers for lateral movement are:
- Simplified access to network sockets;
- Ability to gather malicious code in memory;
- Direct access to the Win32 API;
- Interface with Windows Management Instrumentation (WMI);
- etc. etc.
In other words, it can make it easier to steal credentials, modify settings and other automatic moves on the system.
- Exploring E-mail Boxes – Users’ e-mail boxes can offer several advantages to an attacker. Firstly, most users adopt this resource to share and even store valuable information that can be exploited in new scams.
Another way to exploit these credentials is by promoting social engineering schemes to reach other corporate users, on or off the network.
A third way to leverage communications is by monitoring the IT team’s accounts for policy changes, defense tactics, which gives the attacker the edge to adapt.
Tips to avoid lateral movement in your network
Okay, in spite of everything, the lateral movement is not the apocalypse of network security. But it is critical to be well prepared to deal effectively with this tactic. Understanding how it works is a great start to establish your defenses.
It is important to remember that network security products (firewalls, IPS, ATP etc.) facilitate the management of suspicious traffic and various threats.
But for a high-level protection, you need not only to combine these products, but also to consistently manage security policy.
It is worth emphasizing that one of the great goals of lateral movement is to monitor users to put hands on their privileges and to gain access to deeper levels of the system. Considering this fact, the following recommendations can help to manage better these cases:
- Restrict privileges – Each user must be properly categorized and have access only to the systems, applications or network segmentations he or she is responsible for.
In a corporate network, for example, devices such as desktops and notebooks must be managed by IT staff only; therefore, no user should be privileged to manage any device;
- Use whitelists – Any application requested by a user should be evaluated carefully. It’s worth following a list of reputable applications and restricting those with known vulnerabilities. If there is a request to an application whose functions are already fulfilled by another, there may be no need to enable the service.
- Optimize authentication – Enforcing password management is an important practice to protect your users’ accounts and also helps you to cope with possible attempts of lateral movement.
One of the most important tips is to require unique passwords for each system. You can read this blog from BLOCKBIT, which clarifies about different factors of authentication or this, which gives tips for your users to create safer passwordsv.
- Segment networks – Segments work to group applications and resources into logical units and can be managed in customized way, with specific security policies and controls, session monitoring and differentiated authentication. Whenever possible adopt microsegmentation.
When a security incident occurs, studying the attacker’s movements is as important as preventing the more immediate malicious action.
Consider that tactics used in attacks are “superfluous” and that there are always “ulterior motives” in any security event. The following questions, when asked and studied carefully, can help you establish a new vision of how to protect your network:
- How did the attacker got into my network?
- Which technique allowed lateral movement?
- What kind of device, which user privilege was used?
- What was the target? What controls were executed to make the threat persistent?
- What security products were used and how did they meet the threat mitigation goal?
Remember that staying invisible in your network can be a strategic method to further meet the goal an attack.