Lateral Thinking: What is Lateral Movement and how to prevent it?

By Terry Jenvey

It is not uncommon for organisations to hear the term “Lateral Movement” after an audit or to be told they have a problem with it after a penetration test. But in most cases, there is no insight into what this means for them; and how they can begin to tackle it.  In this post we are going to attempt to make Lateral Movement relatable, and highlight how Cymulate can make it achievable, to understand what Lateral Movement looks like in your environment. 

Lateral Movement refers to the techniques threat actors use to systematically identify, move between, and compromise assets of value within an organisation’s network.  We can simplify the idea of the process by relating the activities to physical security; in this case a thief attempting to burgle a property.

Can an entry point be identified to gain access, an open door or window? Is there a key left under the mat?

Once entry is gained, are there any alarms or locks protecting rooms of interest; and how far can we spread throughout the building until we find something of value, or get blocked from entering any more rooms? 

Now, as I said it is common for many organisations to hear this term after an annual audit or penetration test; but what does Lateral Movement look like for the company? It is a tricky question to answer and something that does not get clearly articulated due to its complexity. So, let us start by understanding the challenges and then move on to understanding how the Cymulate platform can help.

Challenge 1 – Account and role change automation 

In most organisations there is a fine line between delivering operational support and being able to monitor all user access and activities. An organisation’s network and security landscape are continuously changing and subject to configuration drift and “fixes” to keep the lights on so the business can deliver. New employees, role changes, and resignations/terminations result in a barrage of account activity and manual labour which often leads organisations to look to automation to streamline the process with HR operations. 

This means that an attacker gaining the ability to either digitally or (in some cases) physically manipulate this automation would give them an unprecedented ability to also manipulate all the outcomes of these operations. Automation to keep the lights on could – inadvertently – kill the lights as payroll, reporting, and other vital operations are suddenly disrupted by false changes to HR data; leading to the ability to move laterally by getting access to roles and responsibilities that shouldn’t be assigned to that account/person.

Challenge 2 - The ever-changing IT landscape

Most organisations are on a constant journey to improve network security and transition services to cloud environments; to reduce costs and deliver more for less. Some IT teams find themselves having to maintain and support legacy systems and applications both on-prem and in cloud migrations. Whilst others are subject to mergers and acquisitions and having to support multiple technologies and systems that they have no previous knowledge of – but are now expected to combine into the IT systems or take over and support from the acquired company. To meet deadlines and goals things can be overlooked, default configurations left in place, ports and protocols left open, systems left behind on updates and patching, whilst accounts with privilege are overlooked. 

Lateral Movement attacks are often persistent and carried out over a prolonged period to evade detection and blend into the background noise of day-to-day behaviour. If our IT & Security teams are overwhelmed or under resourced how can we expect them to differentiate between legitimate user and account activity quickly and correctly versus something malicious?  This is drastically compounded when systems are migrated to cloud platforms without proper preparation and transformation; or systems are merged/taken over during particularly hurried mergers and acquisitions.

Challenge 3 – Operational context 

If a device were to be compromised, what would happen? How could that device be compromised in the first case? What is the blast-radius and what items (data, additional systems, etc.) of value could be reached?  These can be wrapped up in the single question, “Are the security controls I have in place configured and working effectively for my organisation right now?” 

Lateral Movement attacks leverage the fact that many systems do not report abnormal activity effectively and may not even be able to recognize abnormal activity at all. Remember that many systems can only see their own operations, and as we move toward more interconnected platforms (as opposed to single systems); it becomes much easier for an attacker to leverage this lack of communication to move laterally.

 lateral_movement

So how can Cymulate help? 

Cymulate Continuous Security Validation allows organisations to test their security controls against thousands of simulated attacks and techniques on demand, or on a schedule of their choosing safely, including Lateral Movement simulations.  Unlike traditional testing it is not bound by scope or timeframe and provides continuous assurance and visibility into the effectiveness of your security controls, even against the latest threats. It’s class leading UI and rich reporting means that organisations of any size or vertical can quickly and effectively gain instant insight, and identify gaps in their security controls, while receiving actionable insights for full kill-chain mitigation.

The bigger picture – more than just Lateral Movement

Cymulate’s Endpoint Security module challenges your endpoint security controls and identifies whether they are properly configured and tuned to protect you against signature and behavioural attacks.  

This module empowers an organisation to deploy and run simulations of ransomware, trojans, worms, and viruses in a controlled and safe manner. The endpoint attack simulation ascertains if the security controls are configured properly and are protecting your organisation’s critical assets against the latest attack methods used by threat actors – in addition to previous methods that may be used again in future. This comprehensive testing covers all aspects of endpoint security; including but not limited to behavioural detection, virus detection, and known vulnerabilities.

So, after testing and identifying what can execute and run successfully on the endpoint; we can start to answer, “Would it be possible to execute Lateral Movement from an endpoint; and if so, would it be detected quickly and effectively?” 

Some tools are finished at this point, they have served their purpose.  But, this is only part of the picture when it comes to Lateral Movement. The next stage is to understand what assets and configurations lay within the organisation’s network that could be discovered by, compromised by, and used by something or someone attempting to move laterally (tickets, tokens, credentials, networking and routing, etc.). Cymulate’s Lateral Movement module allows an organisation to safely and continuously test their environment to ascertain what resources are in place that would allow an attacker to move laterally; and what defences are effective at prohibiting a threat actor from using them.

Cymulate will not be using vulnerabilities or exploits which could cause disruption or destruction of systems or data during testing because we want to enable organisations to test for Lateral Movement safely. This is key to allowing organisations to test their environment without threat of downtime or disrupting operations. This is where integration with a vulnerability scanner allows Cymulate to identify where weaknesses exist that could have been leveraged; without having to invoke them and risk causing operation downtime and outages.

When it comes to reviewing results you now have three key items to help you understand what Lateral Movement looks like for your organisation. Let’s refer to the “thief” scenario (where a thief attempting to break into a building needs specific things to be successful):

The keys - Tickets, tokens, credentials. 

Over-Privileged accounts, whether that is a specific user account or a service account.  Credentials saved in plain text, browsers, or applications. Whether security controls are going to permit and detect techniques that supply threat actors the keys, including kerberoasting, responder poisoning, password spraying, etc. 

 

The front door and moving between rooms - Network routing, ports, and protocols 

Are there open ports and protocols in place that can permit Lateral Movement, and can they be used to propagate and navigate throughout the environment - and if so, how far?  Is it possible to bridge networks? Is my firewall properly configured? Is my network segmentation working effectively?  Can someone move from our DMZ network to our production network?  If someone compromised a device via phishing in our finance department; how far could they move within our environment based on our current configurations? How long would it take to detect that behaviour? 

Other doors and Windows - Patching and legacy/BYOD devices

Are we up-to date with our patching? Have we omitted patching a device because of its role and if so, what is the level of risk that it creates?  How can I quantify and prioritise patching related to Lateral Movement?  What exploits and vulnerabilities would allow someone to successfully move in the network? 

What risks are posed by allowing Bring Your Own Device platforms into my networks? Have I accounted for their security as well, and have I segmented out the networks they will use? Are legacy systems – which may not even be able to be restricted or patched in the same way as current systems – allowing attack surfaces to be leveraged?

With these three items identified we can now start to build a picture of what Lateral Movement looks like for our organisation. Are there quick wins such as dealing with over-privileged accounts and improving firewall configurations? Can we prioritise patching within a certain network segment/location that is more critical for our business?  Is our SOC service capable of detecting and reacting to Lateral Movement?  What can we do to improve our existing controls before we start to look at tools such as Privileged Access Management? 

Lateral Movement is an extremely broad term.  The key to understanding is visibility.  And what better way of doing that than using a platform that allows you to continuously test and demonstrate what Lateral Movement looks like in your organisation.

Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate's platform. 

Start a Free Trial

Don’t speculate, Cymulate

Terry Jenvey

Terry Jenvey spent over a decade working to secure and mobilise frontline IT Services for a number of UK Police Forces before taking his expertise and insights into the vendor world. Here he has continued to help organisations of all sizes and industries to secure themselves and transform their digital services for the future. He is currently Lead Solution Architect for the UK & Europe with Cymulate Breach & Attack Simulation; helping organisations continuously validate the effectiveness of their security controls and protect their critical business assets.

Subscribe to Our Blog

Stay up to date with the latest cybersecurity news and tips