There are critical blind spots in most security solutions today that make it nearly impossible to detect and prevent lateral movement attacks.
Understanding the fundamentals of lateral movement
Almost every lateral movement action is based on the use of compromised credentials. According to a report from Expert Insights, over 60% of all cyber-attacks in 2021 have been linked to credential compromise. Threat actors can either harvest credentials from the machines they land on or purchase them in advance on the dark web. They generally aim to compromise admin credentials, as those accounts have higher access privileges, allowing the attacker to gain access to high-level systems within the network.
It’s important to realize that lateral movement is an almost never-ending process, where the tactic is constantly repeated on different machines until the attacker reaches the desired target (e.g., a domain controller or server that stores sensitive data). The progressive nature of such attacks allows threat actors to turn a small security event into an enterprise-grade security breach.
The key challenges of lateral movement detection
One of the biggest challenges of lateral movement detection is its low anomaly factor. Lateral movement attacks exploit the gaps in an organization’s user authentication process. Such attacks tend to remain undetected because the authentication performed by the attacker is essentially identical to the authentication made by a legitimate user.
Following the initial “patient zero” compromise, the attacker uses valid credentials to log in to organizational systems or applications. Therefore, the standard IAM infrastructure in place legacy cannot detect any anomaly during this process, which allows attackers to slip through and remain in the network undetected.
Another key challenge is the potential mismatch or disparity between endpoint and identity protection aspects. Endpoint protection solutions are mainly focused on detecting anomalies in file and process execution. However, the attacker gains access by exploiting the legitimate authentication infrastructure, utilizing legitimate files and process. Therefore, it doesn’t appear on the radar of endpoint solutions. Even when attackers move through the network after the initial compromise, they use processes that are identical to legitimate user processes.
For instance, if an attacker used the PsExec tool to remotely connect from “patient zero” to another computer with compromised credentials, the process launched will be PsExec.exe – the identical process that would be run if a genuine administrator opted to execute the same connection. Also, network protection solutions focus on detecting anomalies in the network traffic, and the network traffic characteristics from the “patient zero” device to the remotely accessed device will be identical to the ones when a legitimate admin performs the same action.
The lack of real-time blocking factors in the existing endpoint and network security solutions is another key challenge for lateral movement detection and prevention. At best, most of these solutions can alert the security teams when they detect lateral movement, but by the time mitigation efforts are launched, attackers will already have access to valuable assets.
Network security solutions can contain lateral movement attacks – to an extent – with tight segmentation of the environment. Although it might prevent attackers from moving from one network segment to another, it won’t prevent lateral movement within a compromised segment itself. Moreover, some machines (e.g., file or application servers) will always be accessible to multiple segments, enabling attackers to pivot from one segment to the other, thus voiding segmentation’s protection.
These challenges are still prevalent because of the tendency to incorporate user identities as a part of endpoint and network security. This is why lateral movement still remains a blind spot in today’s security infrastructures, despite the copious cybersecurity advancements of the last decade. The only solution is to solidify the identity authentication processes and consider user identities as a standalone attack surface that must be protected based on the threats it’s subject to.
Enabling real-time protection through risk analysis and MFA
At its core, lateral movement is an identity-based attack. Therefore, the most feasible approach to prevent such attacks would be to solidify user authentication processes. To achieve this, organizations should consider adding the security layer of risk analysis and multi-factor authentication (MFA) in every internal and external access point.
In a conventional IT environment, MFA is only required to gain access to the network or system. Once the user is logged in, MFA is not required to perform the privileged operations. Organizations should opt for solutions that enable adaptive MFA on all user access, including Active Directory authentications, command line (CMD) executions, and execution of all remote access tools such as Powershell, PsExec, and WMI.
When MFA is implemented in every privileged process, users will have to authenticate their identities to perform any significant tasks even if they are already inside the enterprise network. Such a continuous authentication process significantly reduces an attacker’s ability to utilize admin tools for lateral movement.
It is also important to strengthen authentication requirements. Organizations shouldn’t simply rely on codes sent via email or links as the only mean of authentication; they should implement solutions that can provide agentless MFA using secured methods like biometric authentication or device prompts.
Until organizations stop relying on endpoint and network security solutions for protecting user identities, lateral movement attacks will continue to thrive and remain a blind spot in most security infrastructures. Only by implementing a multi-layered and risk-based authentication process can organizations minimize the risks of lateral movement attacks, enforcing real-time detection and prevention.