Many data breaches are the result of successful lateral movement. It’s a tactic many adversaries use to get closer to their objective, and it’s a concern for many organizations. Security teams have a difficult time detecting lateral movement because it often looks like valid traffic between machines or services. But how can security teams detect and even more importantly, prevent it from happening?
Threat actors use lateral movement to stealthily move from one system to another. The technique begins with valid credentials that the adversary or adversaries have obtained — for example, a hacker obtaining access to an email after a successful phishing attack, then requesting a password reset from other services that use that email address as a means of identity verification. After gaining initial access to an endpoint, the attacker begins to learn about the victim’s network and layout and can move through that network with ease. Through lateral movement, hackers gain foothold access to a device or service and then try to get closer to the objective, all while upgrading permissions, collecting data and credentials, and flying under the radar.
How to detect lateral movement
Security teams can detect lateral movement by looking for anomalous behavior, such as access that doesn’t typically occur, or occurs infrequently, between two points. Some examples include:
- Behavioral analytics: Does this person usually log-in at 2:00 a.m.? Or does this person usually log-in from China?
- Identify network discrepancies: Does this service usually get logged into from this OS?
If the credentials of a high-level executive are used to log-in to Bill.com at 3:00 a.m. from South America using Linux systems on Firefox, then the security team can suspect lateral movement. Lateral movement occurs after the initial access and continues until the hacker's goals are achieved, and the system becomes thoroughly compromised.
Ways to disrupt and prevent lateral movement
The portability of credential-based authentication makes it difficult to anticipate lateral movement. To prevent and disrupt it, security teams must create barriers against moving laterally within the network. Traditional credential-based authentication and multi-factor authentication (MFA) cannot deliver the security to prevent lateral movement, as it’s easy for hackers to breach or hack these legacy methods of authentication. While some organizations may consider traditional MFA the de-facto solution to security vulnerabilities, the portability of credentials, even with MFA, still allows adversaries to use them, change them, or reset them once obtained. As long as the attacker has access to one of the company’s accounts, they can use that as a steppingstone to quickly bypass your MFA.
Therefore, systems are secure only when credentials are bound to the device, so the initial access that’s the foothold for lateral movement cannot occur.
Eliminate passwords: eliminate lateral movement
Security teams can prevent lateral movement by using an authentication system that's based on strong cryptography, private keys, and anchored hardware. Passwords and traditional MFA cannot offer the kind of security necessary to stop credential-based attacks. Hackers craft lateral movement around a single breached account, and from there, it becomes easier to get into the next. But with authentication based on strong cryptography and with private keys stored on the device, access to one account does not let the hacker access a second — they all would require the signature of the private key stored on the device. So by eliminating passwords, security teams can prevent lateral movement and credential-based attacks.
Jasson Casey, chief technology officer, Beyond Identity