80% of a sophisticated attack involves moving laterally through the network from system to system. Inability to detect this phase of an attack means the attacker will likely reach their end objective successfully.
Why is detecting lateral movement so important?
On average, a breach takes 146 days between initial compromise and detection. The initial breach itself is quick — a use clicks on a phishing link, or opens a macro-laden document. Even the final attacker’s actions happen rapidly, exfiltrating or destroying data. So what are the attackers doing for the rest of the time?
After cementing their initial breach point and ensuring persistence, the attacker escalates their privilege level to the maximum they can on their initial beach-head. They then hop from system to system, hence the term ‘lateral movement’, and repeat the process. Most companies can’t detect lateral movement because it is lost amongst all the regular traffic of the organisation. SIEM and analytics tools have proven woefully inadequate at catching this phase.
The lateral movement phase is the point where the attacker is most vulnerable to detection. They are operating semi-blind on a foreign network, seeking out targets of value. It’s thus imperative that the defence has best-in-class lateral movement detection capabilities.
How do attackers move laterally?
First, the attacker will determine potential points to jump to. Most often, they will heavily rely on Active Directory as the ‘phone book’ of the network. Active Directory helps them identify key servers, administrative users and other high value targets. They may also scan the internal network for specific hosts and ports. If they’ve compromised credentials, they may be able to use these credentials to access other systems directly.
The most important thing to note is that the seasoned attacker prefers to ‘live off the land’ — using built-in capabilities of the operating system and legitimate remote administration tools to move around. This prevents anti-malware and endpoint detection systems from flagging their activity as it looks perfectly normal.
Download the Whitepaper
Here’s a technical white-paper on the “Top 20 Lateral Movement Tactics”.