Discover the 3 main stages of a lateral movement and how you can detect lateral movement techniques within your network.

What is Lateral Movement? 

Lateral movement is a technique in which an attacker gains access to a corporate network after an endpoint has been successfully compromised. The attacker then continues to progress or move laterally within the network in search of valuable assets they can exfiltrate.  

The 3 Stages of a Lateral Movement Attack 

Reconnaissance 

The first stage of a lateral movement attack is reconnaissance or recon, which is when an attacker gathers information about the target network and systems. The threat actors are looking to understand the virtual layout of the network such as where the servers are, how they are secured, and if they have any vulnerabilities. 

This information can be obtained manually or through automated tools. Reconnaissance methods vary but often include port scanning, network mapping, and vulnerability scanning. 

Once the attacker has gathered enough information about the target network they move on to the next stage of the attack.

Credential Dumping and Privilege Escalation 

After reconnaissance comes credential dumping and privilege escalation. During this stage, the attacker attempts to obtain login credentials from the compromised system using phishing attacks, brute force attacks, SQL injection attacks, and so on. Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials. 

Once the attacker has valid credentials, they are then able to gain access to other systems on the network or higher-privileged access to sensitive data.

Hackers may use a set of exploitation tools such as Mimikatz to store the stolen credentials and a technique called Pass the Ticket to keep forged Kerberos tickets in order to authenticate users.  

Gaining Access and a Foothold Into the Corporate Network 

The final stage of the attack is gaining a foothold into the corporate network. Once the attacker has obtained valid credentials, they will then use them to gain further access to other systems on the network. 

By spreading to other servers, attackers gain more access and control over the network, making it possible to carry out their malicious deeds such as data exfiltration, implanting malware, or staging attacks on customers of the infiltrated company–known as supply chain attacks.

Even worse is the amount of time a hacker can remain undetected. The average dwell time can take approximately 197 days within the network environment before any detection is made.   

How to Detect Lateral Movement 

There are several indicators that suggest your company is dealing with lateral movement. Some more notable indicators include:

• Increased Network Traffic: An unusual spike in network traffic may be a clear indicator of lateral movement present, as attackers will often try to move large amounts of data out of the system as they progress.

•   Unusual Access Patterns: For example, if a user is accessing systems or data that they normally would not have access to, this can be a tell-tale sign that their login credentials were compromised and an attacker is using them to gain access to sensitive data.

• Suspicious Login Activity: One of the easiest ways an attacker can bypass credentials is through third party software systems. Access should only be granted to third parties on a “need to know” basis once authorization has been cleared, leveraging the principle of Zero Trust. 

Lateral Movement Example 

A prime example of lateral movement is a Pass-the-Hash (PtH) attack. In this scenario, the attacker obtains stolen credentials and is able to bypass authentication. Decrypting the hash is not needed to crack the password since the passwords are stored. 

A Pass-the-Hash attack is when these hashed credentials are used as a stand-in for plain text logins to authenticate with the system using hacking tools. Attackers have found a way to exploit authentication protocols such as Single Sign-On (SSO) or Kerberos. Windows New Technology LAN Manager (NTLM) users are at the highest risk due to weak cryptography and other security vulnerabilities. 

How to Prevent Lateral Movement Attacks with ZTNA 

One of the best lines of defense for preventing lateral movement is ZTNA. ZTNA or Zero Trust Network Access verifies the identity of users and devices before any access is granted to company resources through strict and continuous authentication and authorization checks. 

ZTNA allows organizations to segment and microsegment their networks into smaller parts to reduce the threat surface. This helps prevent lateral movement attacks as it limits the amount of access that users and devices have to systems and data.
Perimeter 81’s ZTNA solution easily integrates with all leading Identity Providers (IdPs) and can be deployed in a matter of minutes across the organization. Don’t wait until a threat actor has penetrated your network. Get ZTNA secured today. 

Lateral Movement FAQ