Lateral movement refers to an attacker moving through your environment, often to seek out data to steal or systems to disrupt. It consists of a series of techniques that allow them to access or control systems on a network, or gather information from a system without needing additional tools such as a remote access tool.
Adversaries might use lateral movement for the remote execution of tools, to pivot to additional systems, access specific information, files or credentials. Attackers might attempt to reduce their overall footprint on the network by using legitimate credentials and existing network/operating system functionality to remotely connect to systems.
Movement across a network from one system to another may be necessary to achieve an adversary’s goals. Thus lateral movement, and the techniques that lateral movement relies on, are often very important to an adversary’s set of capabilities and part of a broader set of information and access dependencies that the adversary takes advantage of within a network.
That’s why it’s important to understand intrinsic security dependencies by knowing the relationships between accounts and access privileges across all systems on a network.
How to Detect Lateral Movement
Lateral movement can be some of the most difficult attacker behavior to detect internally and reliably. The lack of detecting lateral movement can lead to breaches and ransomware infection, and it usually indicates post-system compromise behavior.
Detecting lateral movement often requires a combination of endpoint visibility, strong network segmentation and network intrusion detection/prevention systems. Attackers’ lateral movement techniques often resemble legitimate user behavior, leveraging credential harvesting and reuse to their advantage and to avoid detection. This type of tactic is known as Living off the Land (abbreviated as LOL) behavior that can be challenging to detect, as it involves using legitimate built-in systems to blend into typical user behavior.
A good security strategy needs to be able to address identifying anomalies in user authentication behavior and recognize an excess of authentication failures over time in order to detect lateral movement. Other activity that should be observed includes exploitation of server-side vulnerabilities, such as a zero-day vulnerability that allows an attacker to remotely execute code.
Detecting Lateral Movement With Blumira
With Blumira’s platform, you can detect what we call ‘suspects’ and ‘threats,’ which differentiates between LOL behavior and immediately recognized threats.
A suspect is an item that can’t be verified as a threat due to a lack of information – they require further investigation or additional information from a customer to determine if it should be escalated. A threat is an event that poses an immediate and real threat to the security of data or resources, and it has been detected with a very high level of confidence.
Both of these types of findings are critical to validate with the use of workflows (also known as playbooks that walk you through different actions to take in response) for incident management, and relationships on security orchestration, automation and response (SOAR)-like functionality for containment of the threat or suspect.
There’s a few different types of detection rules that Blumira can identify and send prioritized alerts to your team on in order to detect indications of possible lateral movement early on:
BlueKeep RDP Exploit
In this detection, Blumira will find that the BlueKeep Remote Desktop exploit (CVE-2019-0708) is being run against a destination IP from a source IP, over a certain port. This may indicate that an attacker is leveraging the publicly-available BlueKeep proof of concept to either gain a foothold in your environment or move laterally within it.
BlueKeep is a vulnerability that affects Microsoft Windows’ RDP (Remote Desktop Protocol), which organizations can protect against by patching their systems with the available security updates. See our other recommendations for securing and properly configuring RDP connections in Detecting RDP Attacks With Honeypots.
Honeypot Access Attempts
By setting up a honeypot (fake login page to a fake system), you can detect attacker login attempts and lateral movement with alerts sent by Blumira’s platform. In the screenshot below, you can see an example of a detected honeypot access attempt and the threat analysis, categorized as a Priority 1 threat (we recommend an organization respond immediately).
Blumira’s platform provides playbooks for how to respond, guided by our team of incident response engineers/security analysts that walk you through next steps. In this case, we give you pointers on immediate response procedures, including how to quarantine devices and contain the attack.
We also provide all matched evidence below the finding to help with further investigation, saving your team the time it takes to gather additional relevant data to help inform and enable faster response times.
Failed SSH Login Attempts
This is when Blumira detects a user from a certain source IP is attempting to connect to an internal Linux server, which can indicate either a brute-force attack from a compromised machine or a forgotten password. We recommend correlating SSH login attempts with the source user.
Password spraying is when an attacker attempts to authenticate to your network or applications by trying a large number of usernames with a single password, which helps them evade detection and avoid password lockouts. It’s also effective at discovering weak passwords in use that attackers can leverage for lateral movement throughout your environment.
In this detection, Blumira has identified password spraying attacks against certain users, and provides a workflow to help you block the source IP of the attack to immediately protect against further attacks.
Null Session Detections
A null session refers to anonymous, unauthenticated connections allowed by a Windows vulnerability, which can enable attackers to gather information about users, groups, shares, and more about your systems.
Blumira’s platform can detect null session activity (often used to gather information prior to an attack) and null session attacks exploited by known hacker tools. We provide more information about how to disable null sessions in your environment to eliminate the risk of attacker reconnaissance/discovery and lateral movement.
Top Five Security Threats You Should Be Detecting
A basic primer on some of the top attacker techniques you might not be catching – from ransomware to brute-force attacks – based on Blumira detections.
Top Security Threats: Detecting Data Exfiltration
What tactics do attackers use to steal your data? Other security solutions may miss the signs – Blumira can detect and protect against key indicators.
Top Security Threats: Detecting Ransomware Tactics
Ransomware is targeting SMBs, using new tactics to evade detection. Here’s how to effectively detect risky activity and protect against infection.
Blumira’s Threat Hunting Playbook
Blumira automates threat hunting to save clients countless hours of security analysis – here’s our playbook for efficiently finding network threats.