In this article I want to highlight one of the tactics used by malicious actors to move within your network - lateral movement. Let’s define lateral movement and review how Stamus Security Platform can help.
This series -- Threats! What Threats? – came as a result of a conversation with my colleague Steve Patton. He believed that we at Stamus Networks weren’t going deep enough to elaborate on what we meant when we mentioned “threats”. He made a good point because while we often talk about threats, we had not yet elaborated on which threats, how they work, and why they are harmful.
What is lateral movement and why is it bad?
Top athletes understand the importance of being able to move laterally to evade a defender or mount an attack on goal. This is why athletes spend countless hours training to improve their lateral agility to gain an advantage.
Similarly, lateral movement allows cyber attackers to move deeper into a compromised environment after gaining initial access, avoiding detection by moving through different hosts.
A threat actor will often gain access to an endpoint through a phishing attack or malware infection, and then use various tools to obtain increased privileges. The attacker then imitates a legitimate user to move through different systems until they reach their desired end goal of finding sensitive data or high-value assets. By employing lateral movement techniques, an attacker might avoid detection for weeks or months after the initial breach.
Lateral movement typically progresses through three stages:
- In this initial stage after an attacker has gained access into the network, they will explore and map out the network, its users, and devices. This allows them to identify operating systems, locate potential payloads, and acquire intelligence that helps inform their future decisions. Attackers do this using external custom tools, open-source tools, or even local Windows tools like Netstat, ARP cache, PowerShell, and the local routing table. After identifying critical areas, the attacker can begin gathering login credentials.
- Credential dumping and privilege escalation
- An attacker cannot move through a network without valid login credentials. To obtain credentials, they may use the process of “credential dumping”. Typosquatting, phishing, keylogging, and tools like Mimikatz are common ways that attackers steal credentials. Once they have one or more valid credentials, attackers can escalate their privileges on the network until they are able to gain access to the target system.
- Gaining access
- This process is repeated throughout the network until the attacker accesses and assumes control of the target system. This is often a critical services system which can affect the entire organization when infected with ransomware or another malware program. From there, they can move freely about the network, avoiding detection by staying mobile across various devices.
How does Stamus Security Platform help with lateral movement?
Lateral movement is often very difficult to detect because it has the appearance of normal network traffic. This is achieved using remote access malware tools like Remote Access Trojans (RATs). Because it is very difficult for prevention controls to block lateral movement, the most effective method of defense is early detection.
Stamus Security Platform (SSP) is well equipped to detect lateral movement because it employs a more complete set of detection methods than one-dimensional intrusion detection system (IDS), network security monitoring (NSM), or network detection and response (NDR) solutions. By observing brute force activities, suspicious administrative behaviors, or suspect SMB/DCERP/ICMP/TCP protocol-related activities, SSP can typically detect lateral movement early in the kill chain timeline after initial system access.
In addition, unlike other network security solutions, SSP uses advanced prioritization algorithms to cut through the noise caused by a typical IDS or NSM “alert cannon” – all while retaining the context and evidence needed to understand the complete picture of a given incident. In this way, Stamus Security Platform essentially eradicates false positives, and delivers what we call Declarations of Compromise™ to notify the security team of only the most serious and imminent threats like lateral movement.
So, by searching for anomalies in credential usage, logon failure, app usage, connectivity patterns, port and protocol usage, and connection specifics and details, SSP can detect and prioritize lateral movement attacks and push only the most urgent incidents to the top of your queue. This way the security team can catch threats before they cause substantial damage.
More information on Stamus Security Platform
So, next time my colleague Steve asks “why don’t we ever mention the types of threats we’re talking about?” I can thank him and point him to this blog series.
If you’d like to get a live demonstration of Stamus Security Platform or discuss how it might help you detect and respond to threats in your network, please click on the button below to request a demo.