We're proud to be named a 2024 Publisher's Choice winner!

We're an RSA Conference 2024 Innovation Sandbox Finalist!

Lateral movement cyberattacks are among the greatest threats cyber security faces today. Whether a company's network exists primarily in the cloud, on-premises, or a hybrid cloud environment, there are lateral movement attack techniques designed to exploit vulnerabilities unique to each environment. As organizations increasingly move to the cloud, sensitive data and critical assets may be stored in each of these environments, and considering them secure based on the location they are stored is a potential recipe for disaster. In today’s cybersecurity landscape, in spite of a vast array of security solutions, attackers will at some point, successfully exploit vulnerabilities and compromise environments.

What Is Lateral Movement?

Lateral movement is the technique that a cyberattacker (or group of attackers) uses to progressively explore an internal network, with the goal of gaining access to high-value assets. The "lateral" part of the name is in reference to the ability of the attacker to move between multiple devices and applications within a network, from on-prem to cloud or vice versa. This is also known as "east-west movement," where attackers are constantly hunting for more openings to exploit, frequently by using compromised user credentials.

Typical lateral movement techniques incorporate three phases: Recon (or Investigation), Credentials, and Access.

Recon begins after the infiltrator has gained access, through malware, a phishing attack, or an exploit in the cloud. In this phase, the attacker moves methodically through the low-value systems they initially have access to, getting to know the security posture of the network, and logging potential points of access to users or applications with greater authority.

Credentials refers to the threat actor's milestones on their way to their ultimate goal, gathering user credentials with increasing degrees of access. The escalation of credentials acquired is key to the success of an attack, as it both moves the actor closer to their prize and often provides them with a broader suite of options for disguising their presence. These options may include greater permissions, access to security controls, or remote access to more secure devices and applications than they were able to penetrate previously.

Finally, the Access phase is when the attackers have a greater understanding of the network and security operations from the Recon phase and a variety of credentials that give them access to their goal,. Frequently, a lateral movement attack results in a ransomware or data exfiltration scheme, like so many other cyberattacks.  

A Nearly Undetectable Attack

What makes lateral movement attacks particularly challenging is how difficult they can be to detect. Detecting lateral movement can be extremely tricky for a few reasons: for one, attackers often take a deliberate, real-time, manual approach (versus leaning on automation) and are extremely careful to avoid tripping security protocols; secondly, the credentials they collect and utilize often give them a degree of cover from security screening and basic authentication checks; and lastly, the breadth and longevity of the attack make it difficult to know where to look for one, or if found, where and when an attack began or how far it has gotten.

Successful lateral movement infiltrations may take months and incorporate a vast attack surface. The point of moving laterally is to spread the attack "foothold" within the network as much as possible, to both increase the number of attack options as well as provide failsafe fallbacks (back doors) to the attackers if any of their other access points are discovered or closed in a security update. To put it simply; they break into the house, and then open as many other doors and windows as possible so they can always get back in.

Lateral movement is a broad topic, so let's focus more specifically on vulnerabilities in on-premises, cloud, and hybrid environments.

Vulnerabilities in On-Premises Environments

On-premises (for example, data centers, corporate-owned servers, system components, and networking systems) environments are vulnerable to several lateral movement attacks, such as malware incursions, phishing attacks, or even brute-force penetration of endpoints. All of these routes give attackers their initial purchase in the network.

Once inside, the threat actors investigate the network, disguise themselves as typical network traffic, and secure higher credentials.

These openings can be minimized by using next-generation firewalls, multi-factor authentication, and other traditional on-premises security tools. However, due to the attackers' ability to leverage valid credentials for greater access, it’s critical to require team members to frequently update user passwords and for security teams to monitor access lists and network traffic to keep these attacks at bay.

In a hybrid environment, though, on-premises is only half the equation; the more difficult access point for lateral movement (for both attackers and defenders) is the cloud.

Vulnerabilities in Cloud Environments

While seemingly a more difficult angle of attack, vulnerabilities in cloud environments can be exploited by threat actors just as thoroughly as — and in some cases cause more damage than — on-premises incursions.

A cloud-based lateral movement attack often begins in a publicly accessible application, such as AWS or another cloud API. These applications cannot be simply firewalled or protected by traditional cyber security means – on-prem compensating controls don’t work in these environments. Through a misconfiguration, foothold credentials (basic, common admin credentials that provide read-only access to a swath of network information), or a brute force technique (combined with poor password security controls), attackers can find themselves with access to your cloud environment; and from there, thanks to the reach of the cloud and features such as Cross Account roles (credentials with access to multiple accounts on multiple environments), spread laterally across your environments and into an on-premises environment.

How Bad Agents Can Move From One Environment To Another

In a hybrid environment, attackers will look for access to both cloud and on-premises servers to expand their foothold and discover multiple avenues to gain access to your environment. Ultimately, it comes down to credentials and creative exploitation of the permissions and applications that those credentials can open.

Threat actors can move from on-premises to cloud environments and back using a few techniques. One popular method is through "pass-the-PRT," (or Primary Refresh Token, or a digital authentication badge), in which an attacker acquires a user's PRT through an endpoint device and uses it to authorize their remote access as that user in nearly any environment. Other types of environment-jumping attacks (known as "north-south" movement) essentially follow that basic structure: penetrate on-premises or cloud network, access cross-environment credentials, move to the next environment, access more of the network and gain greater credentials, and repeat until high-value assets are discovered.

These cross-environment attacks can be thwarted through advanced segmentation of servers; in other words, limiting the points of access from one environment to another to very specific, highly-monitored paths and accounts. That way it's both harder for an attacker to find the specific credentials necessary for access, and if a cross-environment incursion is detected, security teams know where to look.

The Dangers of Lateral Movement in a Hybrid Environment

Lateral movement is a significant threat in today's cyber security landscape. Often employed by advanced teams of multiple threat actors working together and collaborating on the dark web, these cybercriminals open many possible entry points and gain deep network access (whether it's on-prem, cloud, or hybrid). In some cases, cyberattackers gain entry into an environment and then sell that information to others. Whether the goal is espionage, ransomware, or extortion, the attackers are collaborating to exploit whatever vulnerabilities they can find.  

The risk of lateral movement is clear, and something important to consider as more workloads move to the cloud. To increase security, it’s important to evaluate security across the board, taking into consideration the requirements for both on-premises security and cloud security. Reviewing how these environments work together is another critical step for any organization seeking to increase their readiness to cyberattacks.  

A few key steps to take in on-prem environments:

  • Keep data center security up to date
  • Require frequent passwords changes and enforce password complexity requirements
  • Set up multi-factor authentication for all users in an environment  

In cloud environments, follow these steps to increase security:

  • Use Single-Sign On (SSO) as much as possible
  • Require complex passwords that are regularly updated
  • Review how secrets are stored and change them if there’s a suspected incident
  • Check for misconfigurations in databases, S3 buckets, Azure Blobs, and Google Storage

Regardless of environment, check for critical vulnerabilities and update them as quickly as possible, Lastly, segment cloud and on-prem environments to make cross-environmental access as difficult as possible for attackers.  

Readiness is essential to preparing for and stopping cyberattacks, whether they occur in on-prem, hybrid, or cloud environments. Assume that your organization will be attacked, don’t wait for it to happen. The time you spend now getting ready for the possibility of an attack due to lateral movement across your environments will increase your resilience before an incident and reduce the severity of impact if or when attackers gain access.  

Ransomware Readiness: Protecting Your Enterprise Against Today's Most Dangerous Cyberthreats


May 3, 2024

Don't miss these stories:

Mitiga Wins Global InfoSec Award for Cloud Threat Detection Investigation & Response (TDIR)

We’re proud to report that at the open of today’s RSAC24, Mitiga was awarded the Publisher's Choice Cloud Threat Detection Investigation & Response (TDIR) from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Why Did AWS Replace My Role’s ARN with a Unique ID in My Policy?

After several years of working with AWS, IAM remains one of the most frequently used services in my daily routine. Yet, despite my familiarity with it, a recent production incident taught me that there’s always more to learn.