Lateral Movement

Lateral Movement is the technique that hackers use after gaining initial access to machines or networks. Hackers use this strategy to move deeper into a network in search of sensitive data and other high-value assets. After penetrating the network, the attacker maintains ongoing access by moving through the compromised environment laterally obtaining increased privileges using various tools. Privileges in this instance are the administrator account privileges often given to head staff of IT departments, developers, executives, etc. 

Hackers move laterally within a system to avoid detection and stay connected to that network. Oftentimes hackers will have exploited a machine or network for weeks or even months before a data breach is first detected. Hackers can gain initial access to the systems from common cyberattacks like Phishing, Social Engineering, Viruses, or other Malware.  The way the hackers’ transition through the systems is by impersonating authorized users, moving through multiple systems in the network until their goals are reached. Achieving that objective involves accumulating information on networks, systems, and accounts, obtaining credentials, escalating privileges, installing back doors for future access and ultimately gaining access to target data.

Source: CrowdStrike, ExaBeam

Additional Reading: Building a Human Firewall

Related Terms: Reconnaissance, Phishing, Ransomware

What does this mean for an SMB?

Lateral movement during any data breach makes recovery much more difficult. Often times, finding the original machine first breached is difficult. Removing and rebuilding it is a common measure, however with lateral movement, the hacker has already compromised other hosts on your network and left the original breach machine.  This means your attempts to contain the breach can be severely hampered. Monitoring networks for lateral breaches is a weak point of most small networks leaving detection and prevention to endpoint security systems.
The important takeaway is that there is always something you or your business can do to improve your cybersecurity program and prevent these attacks from succeeding. CyberHoot recommends the following actions to help prevent you or your business from becoming a victim to an attack via lateral movement: 
Two-Factor Authentication

Using two of three identification factors (something you are, have, or know) is the best way to protect your critical accounts. Hackers count on your employees reusing their passwords. The moment they see online services protected by 2FA they move on to easier targets (in most cases) because they know they may not be able to penetrate such protections very easily.  The recent massive hack of Marriott Hotel chain was due in part to inadequate two-factor authentication.

Password Managers

Password managers automatically synchronize all account data between devices (smartphones, laptops, and tablets). Web browser plugins monitor your activity and prompt you to save your credentials whenever you authenticate into a new website. Your username and password for the Domain (or URL such as are stored in an encrypted password vault. Password management and requirements should be forced through governance policies set by the business. 

Least Privilege 

Users must be accurately categorized and have access only to the systems, applications, or networks their job requires them to access. For example, in a corporate network, only IT staff should manage devices such as desktops and notebooks. IT staff shouldn’t give standard users administrator privileges.

Endpoint Security

Endpoint security tools allow IT staff to observe all online and offline endpoints. This collects and stores data on significant endpoint events and mapping that data against actionable security intelligence feeds and known tactics, techniques, and procedures (TTP). In other words, this solution allows IT professionals to monitor attack trends and behaviors to help them determine where they should put their resources.

Cyber Insurance

When all else fails and a catastrophic breach occurs, your cyber-insurance is there to help you recover quickly and effectively by providing you the necessary resources to recover.  CyberHoot published a two-part series on what Cyber Insurance covers and some challenges with it.

To learn more about Lateral Movement, watch this short 3 minute video:

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.