Updated July 28, 2022. Originally published June 27, 2021.
Lateral movement is the set of techniques attackers use to progress through the organizational network after gaining initial access. Adversaries use lateral movement to identify target assets and sensitive data for their attack. Therefore, preventing this Mitre Att&ck tactic is a key step in your cybersecurity protection plan. Zero trust can help prevent lateral movement. Here’s how.
What is Lateral Movement?
Lateral movement is the tenth step in the MITRE Att&ck framework. It is the set of techniques used by attackers to move in the network, while gaining access to credentials and without being detected. Lateral movement enables attackers to identify key assets and data, which they will target when they attack.
What Information is Gathered in Lateral Movement?
After breaking into the network, cyberattackers need to find a way to progress laterally. To do so, they require access to users, systems and assets that will move them forward. Therefore, the information gathered in lateral movement is intended to help them achieve this. This includes user account credentials and service entitlements that provide access to components and systems, as well as information that can help them map the network, like network hierarchy, operating systems and server resources.
Lateral Movement Methods
The MITRE Att&ck framework recognizes 9 lateral movement techniques:
- Exploitation of Remote Services – taking advantage of software vulnerabilities in remote services to gain access to internal systems.
- Internal Spearphishing – taking advantage of a trusted, compromised account to trick additional, internal users through spear phishing.
- Lateral Tool Transfer – transferring and copying tools and files between systems.
- Remote Service Session Hijacking – taking control of preexisting remote service sessions to progress.
- Remote Services – logging in as a valid user to remote accounts.
- Replication Through Removable Media – copying malware to removable media to gain access when it is inserted and runs.
- Software Deployment Tools – using third-party software installed in the network, e.g tools for administration, monitoring, and deployment.
- Taint Shared Content – Adding malicious content to shared storage locations or tainting existing shared content.
- Alternate Authentication Material – using alternate authentication methods, e.g. password hashes, Kerberos tickets, and application access tokens.
How Zero Trust Can Help Prevent Lateral Movement
As you can see, lateral movement is very dangerous for organizations, so they need to find a security model to help them block and minimize the risk of lateral movement. That model is zero trust.
Zero trust, a Gartner-recommended security model, protects organizational assets and apps by eliminating transitive trust and continually identifying and authenticating every device, user and identity before granting them access. Just as importantly, the network is cloaked for users, to prevent network visibility.
These zero trust security architecture features prevent a large number of lateral movement methods. Namely, by preventing attackers from gaining access to systems and users that will help them advance, as well as cloaking the network to prevent mapping. The techniques zero trust helps prevent include:
- Exploitation of remote services – zero trust doesn’t enable perpetrators and unverified users to access the network or its internal services, whether they origin from a local or a remote service.
- Remote service session hijacking – zero trust prevents perpetrators from gaining access to sessions. But even if they do, zero trust provides auditing, recording and monitoring capabilities. Thus, the attacker can be tracked and the risk can be mitigated.
- Remote services – perpetrators who gain access to remote services will only have limited access to the network, depending on the permissions scope of the service hacked. Zero trust blocks the concept of a logged on user who has wide access with no supervision.
- Tainted shared content – zero trust limits the ability of users to read and write content from shared storage locations. In addition, zero trust enables scanning new files to detect malware.
- Alternate authentication material – zero trust is the only authentication method, using methods like MFA and UBA before providing users with access to apps. However, authentication is always based on a centralized set of policies.
You can protect yourself from lateral movement and other MITRE Att&cks with zero trust. To learn more, schedule a call with the Cyolo team.