Written by: Vikram Navali, Senior Technical Product Manager – All it takes is one compromised system to start a cyberattack. Once attackers get a foothold inside the network, they can gather information or escalate privileges to complete their mission. After gaining initial access, attackers use lateral movement techniques to gain access to critical assets. A perfect example is the recent SolarWinds software supply chain attack, where attackers kept their malware footprint very low. As sophisticated attackers will do, they quietly stole and used credentials to perform lateral movement through the network and establish legitimate remote access.
Adversaries use lateral movement techniques to progressively move through a network and target an organization’s critical assets. These techniques are widely used in sophisticated attacks such as Advanced Persistent Threats (APTs) to exploit software vulnerability and find their target. Examples of lateral movement techniques include:
- Remote Service Exploitation: Adversaries use this technique to determine if the remote system is in a vulnerable state through network scanning or discovery methods. They take advantage of a programming error in a program, service, operating system, or kernel to exploit remote services. For example, the NotPetya attacks of 2017 added lateral movement capabilities. This attack used multiple methods, such as abusing Server Message Block(SMB) vulnerabilities, stealing credentials, or re-using existing active sessions to spread itself to other remote systems on the network.
- Lateral Tool Transfer: This technique helps adversaries copy files laterally between compromised endpoints using inherent file sharing protocols, such as file sharing over SMB, to connected network shares. The 2017 WannaCry outbreak attempted to copy itself to remote computers using a vulnerability in the implementation of server message block (SMB) in Windows systems.
- Software Deployment Tools: Organizations are losing confidential information or sensitive intellectual property (IP) due to a third-party breach. Adversaries gain access to and use third-party software suites such as administration, monitoring, and deployment systems, to move laterally through the network. Organizations should review how third parties access their confidential data to ensure that only authorized users can access it only for approved purposes.
The MITRE corporation’s ATT&CK® matrix lists several lateral movement techniques and their mitigations. In earlier evaluation exercises using adversary emulation, MITRE tested over 20 EDR products to understand their effectiveness across the cyber kill chain by emulating threat actor groups APT3 and APT29. Attivo Networks carried out the same tests using the MIRE ATT&CK DIY evaluations methodology. The Attivo ThreatDefend® platform’s Endpoint Detection Net (EDN) solution showed considerable improvements to lateral movement detection performance when used in conjunction with an endpoint security solution, showing an average performance gain of 42%.
The Attivo Networks solutions detect attackers as they move laterally inside an organization’s network, data center, cloud, or remote site. The Attivo ThreatDefend platform uses innovative techniques to detect, deny, and derail modern security threats as they begin scanning and targeting critical assets such as Active Directory controllers, databases, or other essential servers and services. The ThreatDefend platform projects decoys across the entire enterprise to detect attackers and engage them as they attempt to move laterally.
The Attivo Networks EDN solution’s DataCloak function mitigates ransomware attacks by hiding and denying access to local files, folders, network or cloud shares, and removable storage. By denying attackers the ability to see or exploit critical data, organizations can disrupt their scanning or discovery activities. The EDN suite includes the ThreatStrike® endpoint solution, which allows organizations to create various deceptive credentials, fake objects such as SSH tokens, and SMB shares to place on real production systems that lead attackers back to the decoys that slow down the lateral movement activities. The EDN ADSecure solution protects against unauthorized queries to Active Directory, preventing attackers from gathering accurate information to progress their attack and elevate privileges. By inserting decoy data into the query results and hiding the sensitive data, defenders can misdirect attackers to decoys for engagement while gaining visibility into their activities.
Lateral movement plays a significant role in cyberattacks. Following the best security practices and implementing Attivo Network solutions will make it more difficult for an attacker to move around and perform lateral movement.
For additional information, please visit www.attivonetworks.com