Hacking 101: How to Prevent Lateral Movement
Most network security breaches go undetected for months. During that time, hackers are busy moving across your network, mapping critical systems, and collecting privileged credentials. This lateral movement sets the stage for their ultimate goal whether that is data exfiltration or ransomware (or both!).
We will explain what lateral movement is, how hackers use it to expand their foothold in your network, and how you can use a Zero Trust security framework to keep hackers from exploiting a successful breach.
Lateral movement refers to the tools and techniques hackers use once they penetrate an organization’s external security. Unlike the “smash-and-grab” techniques of less talented hackers, lateral movement supports sophisticated attacks by organized cybercriminals and other advanced persistent threat (APT) actors. This phase of the attack has three main objectives:
- Expand the attackers’ foothold.
- Discover critical systems and valuable data.
- Collect privileged user credentials.
While exploring the network, the attackers mask their presence by using valid credentials and the network’s administrative tools. This is why lateral movement is so difficult to detect and why they have so much time to dwell in your network.
The original breach may have a finite window before user passwords change or VPN gateways get patched. Opening more doors into the network lets the hackers enter at will and helps mask their presence.
Once in, the attackers traverse the compromised network, but they only look around. Conducting reconnaissance helps attackers understand the network’s internal defenses, identify critical systems, and discover the location of valuable information.
In most cases, the original breach only gives attackers entry into a low-value system. What they want is access to more critical systems. Stealing the credentials of network administrators and others with privileged access is the ultimate target of lateral movement.
Lateral movement sounds like something out of a spy novel. In fact, it takes traditional espionage tradecraft and updates it for the cyber age. An early example of cyber espionage using lateral movement happened in 2008. Department of Defense personnel in the Middle East found USB flash drives in the parking lot outside their office. When they connected the drives to their work computers, malware installed by foreign agents spread across unclassified and classified systems.
Today, the line separating foreign intelligence operations and criminal activity has blurred. Both advanced persistent threats use the same techniques to penetrate, surveil, and exploit both government and private-sector networks.
The fact that these breaches are so hard to detect makes them all the more damaging.
A recent study found that breaches typically go undetected for 212 days — and are not contained for another 75 days.
Although state actors are still a threat, criminal organizations use lateral movement to launch ransomware attacks at an accelerating rate. Reports of ransomware attacks increased 20% in 2020 and another 69% in the first half of 2021.
By using lateral movement, these criminals do more than target systems for encryption. Extended dwell time lets them exfiltrate customer information or proprietary data before triggering the ransomware. The criminals can then demand higher ransoms or sell the data on dark web exchanges.
The highest-profile security breaches of the past few years used lateral movement to make the attacks more successful.
In 2017, hackers penetrated credit agency Equifax through its dispute-resolution website. Undetected for more than two months, the hackers accessed Equifax’s global network and stole more than 150 million consumer credit records. The consumer data never appeared on dark web exchanges, but Equifax has spent $300 million in fines, fees, and compensation plus billions more upgrading its security systems.
Colonial Pipeline’s network of gasoline pipelines ground to a halt in May 2021 when cybercriminals triggered a ransomware attack. The hackers used compromised credentials to get through a VPN gateway and traverse the network undetected.
APT29 (also known as Nobelium, Cozy Bear, and other names) is the suspected nation-state actor behind 2020’s SolarWinds supply chain attack. Their breach of SolarWinds’ security went undetected for more than 12 months, letting the group create backdoors into potentially thousands of organizations. Those backdoors let APT29 deploy lateral movement tools for collecting privileged credentials at government agencies and defense contractors. Microsoft reports that APT29 is attacking cloud service providers to do the same thing.
The broad attack surface exposed by traditional network security technologies lets hackers launch lateral attacks from many different vectors.
Passwords sold on criminal exchanges or stolen through social engineering techniques let attackers access networks with valid user credentials. The Colonial Pipeline breach happened because the password for an unused, but still active, VPN account was sold on the dark web.
Too many companies take too long to patch their network security systems, opening windows for attackers. Equifax’s IT department failed to patch Apache Struts which let its attackers exploit a months-old vulnerability.
SolarWinds was a target because its customers have to give the SolarWinds Orion software global administrator privileges. APT29 used Orion as a bridge to its ultimate targets in the US government.
In 2007, employees at an air conditioner service company inadvertently downloaded malware that hackers used to penetrate Target’s network and compromise the retailer’s point-of-sale system.
The seven-month average dwell time of successful breaches is the result of hackers’ live-off-the-land tactics that leverage the network’s own tools. Common techniques identified in MITRE’s ATT&CK framework include:
Internal spear phishing - Hackers use valid accounts to obtain the credentials of privileged users or distribute malware.
Compromised remote services - With valid accounts, hackers can use RDP, SSH, WinRM, SMB, and other remote connection tools.
Alternate authentication material - Without compromising a password, hackers can use session cookies, hashes, Kerberos tickets, and other valid authentication artifacts to access resources.
Tainted shared content - Hackers insert malicious code in files on shared network drives or code repositories. When users open the file, the malware can expand the hackers’ network access.
IT management tools - With the right credentials, hackers can use an organization’s software deployment tools or automation systems like PowerShell to move across the network.
A recent study found that organizations incorporating Zero Trust in their network defense strategy reduced the cost of security breaches by 35%. Traditional approaches to network security focus on defending a secure perimeter and assume that the resources, devices, and users within are safe. However, this approach creates a broad attack surface that is difficult to defend. Execution must be perfect because one failure can give hackers the freedom to roam across the network.
Zero Trust is a modern security framework that always assumes breaches are in progress. That turns every access attempt into a potential attack — even if the attempt comes from on-premises devices. Rather than defend an indefensible perimeter, Zero Trust solutions require explicit verification of a user identity and device state with every access attempt. Role-based, least privilege access policies limit access to just the resource a user needs to get their job done.
Twingate implements Zero Trust through software-defined perimeters (SDPs), an approach that shifts segmentation from the network level to the resource level. Every resource, whether on-premises or in the cloud, is hidden behind the Twingate SDP. Nobody can see the resource from the public internet, crippling common hacker tools. More importantly, nobody on a company’s private network can see the resource either, mitigating a successful breach of the network.
Zero Trust requires authentication and authorization before letting users access a resource. Twingate lets you apply role-based permissions based on contextual factors such as device posture and network connection. Permission to access one resource does not extend to any other resource. And all permissions are ephemeral, terminating at the end of each session. As a result, hackers that successfully compromise a user’s device have less freedom to move laterally.
Reducing dwell times is another benefit afforded by Zero Trust solutions such as Twingate. Identity-indexed activity logs let security administrators spot unusual user or device behavior. Investigations can reveal the presence of hackers in the system faster and reduce the damage they cause.
Security breaches can happen at any time thanks to the broad attack surface created by traditional network security approaches. Once in, sophisticated attackers can use lateral movement techniques to evade detection while mapping your network and escalating their access. Because they use the network’s own resources to conduct their reconnaissance, threat actors can go undetected for months as they maximize the impact of their attack.
Twingate’s modern security solution, based on principles of Zero Trust, can help mitigate lateral attacks. Protecting each resource with software-defined perimeters reduces the attack surface area, constrains lateral movement, and makes hackers’ presence easier to detect.
To find out more about mitigating lateral attacks with Zero Trust, contact Twingate today.