What is Lateral Flow Movement and how do you Detect it

Stages of Lateral Movement

Initial Entry

Lateral movement starts with the initial entry to the network, primarily through endpoint devices. Malware infection is the most likely route to gain entry. But attackers can also gain entry through remote access tools, stolen user credentials, vulnerability exploits, or other possible paths that give them access to a network.

Reconnaissance

After gaining entry, the attacker starts off by gathering as much information about the network, users, and infrastructure as they can. They map out the network to scheme an action plan. They are not in a rush to avoid triggering network alarm systems. However, as soon as they are ready, they’ll move to a different location to ensure they remain in the network even if the initial entry device is quarantined.

Escalation

This is where the process of lateral movement comes in. At this point, the attacker moves laterally across devices, apps, and servers obtaining credentials and escalating privileges along the way as they move closer and closer to their intended target.

Gaining and Maintaining access

This is the stage where the attacker has gained privileged access to servers and other resources containing valuable data. Their main goal at this stage is to continue maintaining the access undetected and collecting as much data as they can.

Attackers will closely monitor security measures from the security team and respond to them. They may choose to cease activities for a while to avoid detection or install backdoors to gain access later.

How to Detect Lateral Movement

Most organizations’ IT departments don’t have the means to actively detect lateral movement, especially at the earliest stages. They only come to know of it once the attacker is deep in the network or damage has been done.

It’s a big challenge to effectively detect this behavior since the attacker mimics regular traffic from network users. They could have stolen legitimate credentials that make them less suspicious.

Having said that, some solutions in the market can help you detect lateral movement in your network in real-time. A robust solution should detect, alert, identify and investigate threats fast.

Best Practices to Prevent Lateral Movement

As the old adage goes, prevention is the best cure, and in this case, it can be overstated. There are many ways to proactively make it extremely difficult or impossible for attackers to move laterally within your network.

Regular updates of all software within the organization

This sounds rather obvious, but we have seen attackers exploit outdated software, especially at endpoints, to gain access to a network and move laterally.

Implement a security-first approach within the organization

Good IT hygiene demands that all users know that security is a collective and shared responsibility. It’s not a task left to the IT department alone. Strong and well-protected passwords, avoiding clicking on suspicious links and attachments, and other essential network protection policies should be implemented. It’s tempting to overthink cyber security, but lateral movement attacks often originate from the most basic errors.

Strong endpoint security controls

Lateral movement threats are more likely than not to access a network through endpoint devices. Ensuring that these devices have the latest software and security measures in place is a robust prevention strategy.

Protect high privilege accounts

Admins accounts are among the most dangerous tools that an attacker can get hold of within the IT infrastructure. With an admin account, they can obtain and escalate privileges to the highest standard possible.

System admins should have standard accounts for their day-to-day tasks and limit privileged accounts to just those tasks that need extra privileges.

Admin accounts should only be accessed from dedicated devices. They should never be allowed to browse the web or open emails to avoid exposure.

For other users, the Principle of Least Privilege Access (POLP) should be implemented within the organization. Users should only have access to apps and the data they need to complete their tasks.

Zero Trust Policy

This modern security approach assumes that threats are always in progress and might be coming from within. Every access from users within the network is treated as a potential attack. Zero Trust requires explicit verification or multi-factor authentication for all users. Least privilege and role-based access are part of a zero-trust approach.

Segregate network

Network segregation or segmentation is a security policy involving numerous sets of smaller networks within the main network. This makes it difficult for an attacker to move from one network to another laterally.

Threat hunting

If your organization has this capability, it can be helpful in detecting and stopping lateral movement attacks at their earliest stages. Threat hunting which can go hand in hand with network monitoring, reveals any suspicious behavior or vulnerabilities within the network.

Closing Thoughts

The modern workplace and IT environments are sophisticated and complex undertakings that facilitate work and productivity. Cloud storage, remote working, collaboration with outside organizations all call for robust IT infrastructure.

This increased reliance on IT systems for work means that we are increasingly vulnerable to cybercriminals who have also evolved with the times.

They have deployed lateral movement attacks to devastating effects across countries, industries, and organizations.

Despite their best efforts, CISOs and their IT departments will at one point address a breach in their cyber defenses. When it comes to lateral movement, we believe the best course of action is vigilance and making it difficult for cybercriminals to gain entry or move laterally once in.

If you’d like to see how the Lepide Data Security Platform can help you detect and react to security threats within your infrastructure, schedule a demo with one of our engineers or start your free trial today.