Cyber attackers use various techniques to navigate between devices and exploit vulnerabilities, collect credentials, and upgrade privileges with the final goal to get to the high-value, protected data inside a network.
As an attack strategy, lateral movement enables threat actors to prevent detection and retain access, even if discovered on the initially infected device. If the adversaries are able to obtain administrative privileges, malicious lateral movement activities can be challenging to detect, as they’ll mimic “normal” network traffic, allowing them to hide in plain sight.
Lateral movement can involve attempts to steal account credentials or to steal data from another device. It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data. Usually, lateral movement detection is the precursor to moving into private data centers and public clouds.
In most cases, lateral movement detection requires a combination of approaches and methods. Combining real-time monitoring and behavioral analysis is one of the most efficient ways to detect malicious lateral movement activity in your network.
In the past, Intrusion Detection Prevention System (IDPS) has been a popular way for networks to identify suspicious lateral movement behavior. However, IDPS is quickly becoming an obsolete way to prevent threats within a network. When detecting lateral movement, IDPS only focuses on traffic that is passing through the corporate firewall. This traffic represents a fraction of the communication within a network, and this fraction is growing increasingly small. IDPS also relies primarily on signatures to detect lateral movement threats, including exploits and malware that target vulnerable systems and applications. And while signatures have their uses, there has been a significant shift in attacks moving away from malware to account-based attacks.
Another common way companies have detected lateral movement and defended against it in the past is by analyzing log files for suspicious or questionable activity. However, these log files are limited to a small number of scenarios and are also limited in the amount of apps they compile data from. This puts companies who rely on analyzing log files as their primary defense against lateral movement threats at risk, because their defensive security scope is very limited.
In addition, endpoint detection and response (EDR) is another way security teams have defended against lateral movement threats. EDR tools are used mainly to detect any sinister or malicious codes that have been launched within a protected network asset. However, similarly to analyzing log files, this defense mechanism greatly limits the scope of detecting lateral movement threats and behaviors. It is also important to note that sophisticated and experienced attackers can detect which devices have these EDR tools and agents, and will avoid those devices and therefore, detection. Also, a large number of devices won’t and can’t have EDR agents or tools, such as IoT devices, printers, production servers, and more. This makes these types of devices better targets for attackers moving laterally.
Threat hunting is another common way to identify lateral movement. This helps cybersecurity teams identify suspicious behavior that other detection methods would not catch. It is important, when identifying lateral movement, to have threat hunting capabilities that properly analyze user behavior.
The last common way to detect lateral movement is by using a network detection and response (NDR) platform. This allows visibility into a wider scope of traffic, beyond the corporate firewall and in the cloud, so that security teams are able to evaluate traffic from a variety of sources. NDR also provides security teams with richer behavioral context. This allows security teams to properly examine and evaluate every lateral movement threat or risk.
An internal host device sends similar payloads to several internal targets. This might be the result of an infected host sending one or more exploits to other hosts in an attempt to infect additional hosts.
An internal host makes excessive login attempts on an internal system. These behaviors occur via different protocols (e.g. RDP, VNC, SSH) and could indicate memory-scraping activity.
A Kerberos account is used at a rate that far exceeds its learned baseline and most of the login attempts fail.
The host device uses protocols that correlate with administrative activity (e.g. RDP, SSH) in ways that are considered suspicious.
An internal host utilizes the SMB protocol to make many login attempts using the same accounts. These behaviors are consistent with brute-force password attacks.
Vectra’s network detection and response platform, Cognito, helps keep your network secure and protected by hunting and detecting lateral movement threats. Vectra AI gives your security team full visibility into malicious traffic patterns that attackers will exploit and helps identify security risks throughout the network.
The Vectra Cognito NDR platform combines lateral movement threat intel with rich contextual data, such as host user behaviors on the network, user and device privileges, and knowledge of malicious behaviors. Powered by machine-learning algorithms developed by security researchers and data scientists, Vectra identifies attacks that are real threats, while eliminating noise. This instills confidence that you are detecting and stopping known and unknown attacks in cloud, data center, IoT, and enterprise networks. Vectra is in 100% service of detecting and responding to attackers, and our job is to find them early and with certainty.
Request a demo to talk to one of our experts and discover how Vectra can automate threat detection, expose hidden attackers, and empower threat hunters.