Lateral Movement is the technique that hackers use after gaining initial access to machines or networks. Hackers use this strategy to move deeper into a network in search of sensitive data and other high-value assets. After penetrating the network, the attacker maintains ongoing access by moving through the compromised environment laterally obtaining increased privileges using various tools. Privileges in this instance are the administrator account privileges often given to head staff of IT departments, developers, executives, etc.
Hackers move laterally within a system to avoid detection and stay connected to that network. Oftentimes hackers will have exploited a machine or network for weeks or even months before a data breach is first detected. Hackers can gain initial access to the systems from common cyberattacks like Phishing, Social Engineering, Viruses, or other Malware. The way the hackers’ transition through the systems is by impersonating authorized users, moving through multiple systems in the network until their goals are reached. Achieving that objective involves accumulating information on networks, systems, and accounts, obtaining credentials, escalating privileges, installing back doors for future access and ultimately gaining access to target data.
Source: CrowdStrike, ExaBeam
Additional Reading: Building a Human Firewall
Related Terms: Reconnaissance, Phishing, Ransomware
What does this mean for an SMB?
Using two of three identification factors (something you are, have, or know) is the best way to protect your critical accounts. Hackers count on your employees reusing their passwords. The moment they see online services protected by 2FA they move on to easier targets (in most cases) because they know they may not be able to penetrate such protections very easily. The recent massive hack of Marriott Hotel chain was due in part to inadequate two-factor authentication.
Password managers automatically synchronize all account data between devices (smartphones, laptops, and tablets). Web browser plugins monitor your activity and prompt you to save your credentials whenever you authenticate into a new website. Your username and password for the Domain (or URL such as gmail.com) are stored in an encrypted password vault. Password management and requirements should be forced through governance policies set by the business.
Users must be accurately categorized and have access only to the systems, applications, or networks their job requires them to access. For example, in a corporate network, only IT staff should manage devices such as desktops and notebooks. IT staff shouldn’t give standard users administrator privileges.
Endpoint security tools allow IT staff to observe all online and offline endpoints. This collects and stores data on significant endpoint events and mapping that data against actionable security intelligence feeds and known tactics, techniques, and procedures (TTP). In other words, this solution allows IT professionals to monitor attack trends and behaviors to help them determine where they should put their resources.
When all else fails and a catastrophic breach occurs, your cyber-insurance is there to help you recover quickly and effectively by providing you the necessary resources to recover. CyberHoot published a two-part series on what Cyber Insurance covers and some challenges with it.