Home Networking Networking yonatan.azougy 30.08.2022 5 min read What is Lateral Movement? Lateral movement is how attackers jump from one device to another inside a network, trying to reach valuable data. It’s like a thief hopping from room to room after breaking in. yonatan.azougy30.08.20225 min readTable of ContentsWhat is Lateral Movement? The 3 Stages of a Lateral Movement Attack Reconnaissance Credential Dumping and Privilege Escalation Gaining Unauthorized Access and a Foothold Into the Corporate Network How to Detect Lateral Movement Lateral Movement Example How to Prevent Lateral Movement Attacks with ZTNA Best Practices to Prevent Lateral Movement 1. Protecting Your Network Foundation:2. Multi-Factor Authentication (MFA):3. Principle of Least Privilege:4. Continuous Monitoring and Threat Detection:5. Protecting the Crown Jewels:Prevent Lateral Movement with Perimeter81 FAQsLooking to secure your remote workforce? Related Articles The 3 Stages of a Lateral Movement Attack Here are the three stages of a lateral movement attack. Reconnaissance Reconnaissance or recon is when a cyber attacker gathers info about the target network and remote systems. The threat actors are looking to understand the virtual layout of the network, such as: Where the servers are Information about security teams and their approaches If they have any software vulnerabilities Reconnaissance methods often include port scanning, network mapping, and vulnerability scanning. Once the attacker has gathered enough information about the target network, they move on to the next stage of this sophisticated attack. Credential Dumping and Privilege Escalation During this stage, the attacker attempts to obtain login credentials from the compromised system using phishing attacks, brute force attacks, or SQL injection attacks. Over 80% of breaches within hacking involve brute force or the use of lost or stolen login credentials. Once the attacker has valid credentials, they are then able to gain initial access to other systems on the network or higher-privileged access to sensitive data. Gaining Unauthorized Access and a Foothold Into the Corporate Network Once the attacker has obtained valid credentials, they will then use them to gain further access to other systems on the network. By spreading to other servers, attackers gain initial access and control over the network, making it possible to carry out their malicious activities such as data exfiltration, implanting malware, or staging attacks on customers of the infiltrated company–known as supply chain attacks. How to Detect Lateral Movement There are several indicators of lateral movement, including: Increased Network Traffic: Unusual activities in network traffic may be a clear indicator of lateral movement present, as attackers will often try to move large amounts of data out of the system as they progress. Unusual Access Patterns: For example, if a user is accessing systems or data that they normally would not have access to, this can be a tell-tale sign that their login credentials were compromised and an attacker is using them to gain access to sensitive data. Suspicious Activity at Login: One of the easiest ways an attacker can bypass credentials is through third-party software systems. Access should only be granted to third parties on a “need to know” basis once authorization has been cleared, leveraging the principle of Zero Trust. Lateral Movement Example A prime example of lateral movement is a Pass-the-Hash (PtH) attack. In this scenario, the attacker obtains stolen credentials and is able to bypass authentication. Decrypting the password hash is not needed to crack the password since the passwords are stored. A Pass-the-Hash attack is when these hashed credentials are used as a stand-in for plain text logins to authenticate with the system using hacking tools. Attackers have found a way to exploit authentication protocols such as Single Sign-On (SSO) or Kerberos. Windows New Technology LAN Manager (NTLM) users are at the highest risk due to weak cryptography and other security vulnerabilities. How to Prevent Lateral Movement Attacks with ZTNA One of the best lines of defense for preventing lateral movement technique is ZTNA. ZTNA or Zero Trust Network Access verifies the identity of users and devices before any access is granted to company resources through strict and continuous authentication and authorization checks. ZTNA supports network segmentation and micro segmentation of networks, which divides networks into smaller network segments to reduce the attack surface. This helps prevent lateral movement attacks as it limits the amount of access that users and devices have to systems and data. Best Practices to Prevent Lateral Movement Here are the best practices that significantly reduce the risk of attackers infiltrating your systems and stealing sensitive data like intellectual property (IP). 1. Protecting Your Network Foundation: Operating Systems: Ensure all systems, including desktops, servers, and mobile devices, are kept up-to-date with the latest security patches. Outdated software is a common target for attackers. Remote Services: Minimize the number of exposed remote services and only allow access through secure protocols. This reduces potential entry points. 2. Multi-Factor Authentication (MFA): Implement MFA as a mandatory requirement for all access points, including internal systems and remote connections. This adds an extra layer of security beyond passwords, making it significantly harder for attackers to use stolen credentials (even if they compromise a legitimate user’s login). 3. Principle of Least Privilege: Grant users only the access privileges they need to perform their jobs. This minimizes the potential damage if an attacker gains access to a low-privilege account. Avoid using privileged accounts for daily tasks. Network Hierarchies: Segment your network into different zones with varying security levels. This makes it harder for attackers to freely jump between critical systems and sensitive data. 4. Continuous Monitoring and Threat Detection: Implement security controls that monitor network activity in real time for abnormal behaviors. These can include failed login attempts, unauthorized access to sensitive data, or unusual data transfers. Early detection allows for faster response and potential containment before attackers can establish persistence. Be aware of common techniques used in lateral movement, such as exploiting vulnerabilities in domain controllers to steal credentials and escalate privileges. 5. Protecting the Crown Jewels: Implement stricter security measures around privileged accounts, as these are prime targets for attackers seeking elevated privileges. Regularly monitor privileged account activity and consider solutions that require additional authorization for high-risk actions. By combining these practices, you create a layered security approach that deters attackers throughout the attack lifecycle. Prevent Lateral Movement with Perimeter81 Perimeter 81’s ZTNA solution easily integrates with all leading Identity Providers (IdPs) and can be deployed in a matter of minutes across the organization. Don’t wait until a threat actor has penetrated your network, and take a proactive approach. Get ZTNA secured with Perimeter81 today. FAQs What is the difference between lateral movement and a security breach?A security breach is the initial unauthorized access to a system. Lateral movement describes how attackers navigate within a network after gaining access, often using stolen credentials. How do attackers gain legitimate credentials for lateral movement?Phishing emails, malware, and social engineering are common tactics to trick users into revealing legitimate credentials. How can organizations prevent lateral movement attempts?Implement multi-factor authentication, enforce least privilege access controls, and monitor user behavior for suspicious activity. What are some of the potential threats arising from lateral movement?Attackers with lateral access can steal valuable assets, deploy ransomware, or disrupt critical systems. How can threat intelligence help against lateral movement?Threat intelligence provides insights into attacker tactics and techniques, allowing organizations to proactively defend against lateral movement attempts. Related LinksAlways On VPNBusiness VPNSite-to-Site VPNSSLVirtual Desktop InfrastructureWireguard VPNWhat is Zero Trust? Request Demo Start Now Looking to secure your remote workforce? Simplify your network security today with Perimeter 81 Request Demo Start Now Related Articles NetworkingWhat is a Virtual Private Network (VPN)?A Virtual Private Network (VPN) is a service that creates a secure, encrypted connection between your device and the internet.Read more6 min readNetwork SecurityBusiness VPNA Next-gen Business VPN simplifies the secure access to all your internal and cloud-based resources such as staging servers and company databases.Read more13 min readNetwork SecuritySite-to-Site VPNEasily integrate a unified security solution across your organization’s cloud-hybrid network, with the Perimeter 81 Site-to-Site VPN.Read more7 min readNetworkingVPN Split TunnelingThe average cost of downtime is $5,600 per minute. Leverage split tunneling with Perimeter 81’s NaaS and secure your traffic controls.Read more14 min readCybersecurityRansomwareRansomware allows hackers to commit cyber blackmail and is currently one of the most sabotaging forms of malware aroundRead more21 min readNetwork SecurityIPSECAn IPSec VPN solution is ideal for easily managing and customizing network access across cloud and local resources.Read more15 min read
NetworkingWhat is a Virtual Private Network (VPN)?A Virtual Private Network (VPN) is a service that creates a secure, encrypted connection between your device and the internet.Read more6 min read
Network SecurityBusiness VPNA Next-gen Business VPN simplifies the secure access to all your internal and cloud-based resources such as staging servers and company databases.Read more13 min read
Network SecuritySite-to-Site VPNEasily integrate a unified security solution across your organization’s cloud-hybrid network, with the Perimeter 81 Site-to-Site VPN.Read more7 min read
NetworkingVPN Split TunnelingThe average cost of downtime is $5,600 per minute. Leverage split tunneling with Perimeter 81’s NaaS and secure your traffic controls.Read more14 min read
CybersecurityRansomwareRansomware allows hackers to commit cyber blackmail and is currently one of the most sabotaging forms of malware aroundRead more21 min read
Network SecurityIPSECAn IPSec VPN solution is ideal for easily managing and customizing network access across cloud and local resources.Read more15 min read