What is Lateral Movement?

During a cyberattack, the system that a cyber threat actor first accesses within an organization’s network is rarely their final objective. For example, many cyberattacks are focused on stealing, encrypting, or destroying valuable data, which is stored in databases, but attackers enter an organization’s systems via phishing or other techniques that enable them to compromise a user’s workstations.

Once they’ve gained a foothold on an organization’s systems, attackers commonly move laterally to access other systems and data within the organization’s environment. This may include expanding their permissions or compromising other accounts to gain access to additional resources.

Horizon XDR/XPR Early Availability Program

What is Lateral Movement?

Types of Lateral Movement Techniques

Once inside an organization’s environment, cybercriminals can use various means to expand their access.

Some common techniques include the following:

  • Credential Theft: Once an attacker has access to corporate systems, they commonly attempt to steal password hashes and eavesdrop on network traffic. This can provide them with access to additional accounts via password cracking, pass-the-hash, and pass-the-ticket attacks.
  • Internal Spear Phishing: Often, anti-phishing training focuses on identifying malicious messages that come from outside the organization. If an attacker can access a legitimate user’s accounts, they can send much more plausible spear phishing emails, Slack messages, or other messages.
  • Vulnerability Exploitation: Just like an organization’s external-facing applications, internal applications and systems can have exploitable vulnerabilities. Attackers can exploit these vulnerabilities to gain access to additional systems and data.

Stages of Lateral Movement

While attackers may use multiple techniques for lateral movement, the overall process remains largely the same.

The three main stages of lateral movement include:

  • Reconnaissance: Firewalls and other network security solutions limit an external attacker’s ability to learn about the internal structure of the corporate network. Once inside, cyber threat actors will commonly start by performing reconnaissance, examining the system that they have compromised and the structure of the rest of the network. Based on this information, they can develop a plan for achieving their objectives.
  • Credential Theft: Lateral movement often involves the theft and use of legitimate credentials. Attackers may access credentials by dumping them from compromised systems, using keyloggers, sniffing network traffic, or performing phishing attacks. Often, credentials are stolen in the form of password hashes, which must be cracked to be used to log into some systems.
  • Gaining Access: After an attacker has identified a new system, compromised a user account, or found an exploitable vulnerability, they can move laterally or expand their access. From their new foothold, they may be able to achieve their objectives or might start the process over again.

Detecting and Preventing Lateral Movement

Companies can take various steps to prevent or detect attackers moving laterally through their network.

Some best practices include the following:

  • Secure Authentication – MFA: Cybercriminals often use compromised credentials to move laterally through an organization’s systems. Implementing a strong password policy and enforcing the use of multi-factor authentication (MFA) can help to protect against this threat.
  • Zero-Trust Security: A zero-trust security policy only grants users, applications, etc. the access and privileges needed to do their jobs. Limiting access makes it more difficult for an attacker to use a compromised account to move laterally through the network.
  • Extended Detection and Response (XDR): Cyber threat actors commonly try to fly under the radar when moving through an organization’s systems. The context and centralized visibility provided by XDR can be invaluable to identifying potential indicators of lateral movement.
  • Email Security: Phishing attacks are a common way for attackers to both gain initial access and move laterally through an organization’s systems. Email security solutions can help to identify and alert on suspicious messages.
  • Endpoint Detection and Response (EDR): Lateral movement commonly begins by compromising an endpoint and stealing sensitive information (credentials, etc.) from it. EDR can help protect against the initial intrusion and detect credential dumping, installation of keyloggers, and similar threats.
  • Network Traffic Analysis: Lateral movement occurs over the network. Network traffic analysis can help to identify anomalous traffic that could point to reconnaissance or lateral movement.

Lateral Movement Security with Check Point

Ideally, an attacker would be identified and blocked before they gained access to an organization’s systems. However, if this doesn’t happen, locking down their access and preventing them from achieving their goals is the next best thing.

Check Point solutions provide companies with the visibility and data analytics that they need to identify and crack down on lateral movement in their networks. Check Point Horizon XDR offers centralized visibility and advanced threat analytics to help security teams detect the subtle signs of threats moving through their network. Learn more about protecting your network with Check Point by signing up for the Horizon XDR Early Availability Program today.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.