An overview of Lateral Movement and how it is used by Cyber Attackers and threat actors during a penetration test or redteam engagement.
Lateral movement is the technique that a cyber attacker or threat actor uses after gaining a foot hold to traverse through the rest of the network. An attacker typically performs lateral movement to obtain valuable secrets or other sensitive data that will allow access to more endpoints or allow for privilege escalation.
Aptive use lateral movement to simulate the role of a real cyber attacker to help demonstrate the risk of an external breach to an organisation, allowing them to learn how for a malicious user could travel though the network and the sensitive information they could gain access to.
Recently lateral movement has been leveraged by attackers and automated tools to compromise as many hosts as possible to mine cryptocurrency on the compromised hosts.
Some of the most common entry points are unpatched systems, poorly hardened systems, vulnerable web applications, phishing and malware infection.
For an in-depth answer specifically for your organisation consider requesting a quote for our penetration testing service.
Lateral movement requires the attacker to leverage a way to move through the target network, therefore privilege escalation may or not be required on the entry point machine depending on what level account was originally compromised and if the host has undergone a build hardening review previously.
The attacker learns the network, understanding the network subnet structure, username and naming conventions and what threat detection systems are in place such as anti-virus. The enumeration at this point allows the attacker to make informed decisions to pivot through the network, while trying to evade detection.
For an attacker to move through the network they need to either exploit a service such as SSH, RDP, or obtain valid credentials via social engineering or cracking the hash or dumped credentials. Below are a number of techniques an attacker could leverage to move through the network:
Once an attacker has gained access to the network, they can usually continue to move throughout the network often undetected as the traffic typically appears to look like normal network traffic.
What is Lateral Movement?
Lateral movement is the technique that a cyber attacker or threat actor uses after gaining a foot hold to traverse through the rest of the network.
Why do attackers perform Lateral Movement?
Attackers use different tools and techniques to gain higher privileges, allowing them to access more sensitive data which is used to access other machines within the network.
What are the Stages of Lateral Movement?
Reconnaissance (environment mapping), Credential Dumping / Privilege Escalation, Gaining Access, Remaining Undetected.