Lateral movement cyberattacks are among the greatest threats cybersecurity teams face today. Whether a company's network exists primarily in the cloud, on-premises, or a hybrid cloud environment, there are lateral movement attack techniques designed to exploit vulnerabilities unique to each environment. As organizations increasingly move to the cloud, sensitive data and critical assets may be stored in each of these environments, and considering them secure based on the location they are stored is a potential recipe for disaster. In today’s cybersecurity landscape, in spite of a vast array of security solutions, attackers will at some point, successfully exploit vulnerabilities and compromise environments.

What Is a Lateral Movement Attack?

Lateral movement is the technique that a cyberattacker (or group of attackers) uses to progressively explore an internal network, with the goal of gaining unauthorized access to high-value assets. The "lateral" part of the name is in reference to the ability of the attacker to move between multiple devices and applications within a network, from on-prem to cloud or vice versa. This is also known as "east-west movement," where attackers are constantly hunting for more openings to exploit, frequently by using compromised user credentials.

Typical lateral movement techniques incorporate three phases: Recon (or Investigation), Credentials, and Access.

The Reconnaissance stage begins after the infiltrator has gained access, through malware, a phishing attack, or an exploit in the cloud. In this phase, the attacker moves methodically through the low-value systems they initially have access to, getting to know the security posture of the network, and logging potential points of access to users or applications with greater authority.

Credentials refers to the threat actor's milestones on their way to their ultimate goal, gathering user credentials with increasing degrees of access. The escalation of login credentials acquired is key to the success of an attack, as it both moves the actor closer to their prize and often provides them with a broader suite of options for disguising their presence. These options may include greater permissions, access to security controls, or remote access to more secure devices and network applications than they were able to penetrate previously.

Finally, the Access phase is when the attackers have a greater understanding of the network security configurations and security operations from the Recon phase and a variety of credentials that give them access to their goal,. Frequently, a lateral movement attack results in a ransomware or data exfiltration scheme, like so many other cyberattacks.

A Nearly Undetectable Attack

What makes lateral movement attacks particularly challenging is how difficult they can be to detect. Lateral movement detection can be extremely tricky for a few reasons: for one, cyber attackers often take a deliberate, real-time, manual approach (versus leaning on automation) and are extremely careful to avoid tripping security protocols; secondly, the credentials they collect and utilize often give them a degree of cover from security screening and basic authentication checks; and lastly, the breadth and longevity of the attack make it difficult to know where to look for one, or if found, where and when an attack began or how far it has gotten.

Successful lateral movement infiltrations may take months and incorporate a vast attack surface. The point is to spread the attack "foothold" within the network as much as possible, to both increase the number of lateral movement path options as well as provide failsafe fallbacks (back doors) to the attackers if any of their other access points are discovered or closed in a security update. To put it simply; they break into the house, and then open as many other doors and windows as possible so they can always get back in.

Lateral movement is a broad topic, so let's focus more specifically on vulnerabilities in on-premises, cloud, and hybrid environments.

Vulnerabilities in On-Premises Environments

On-premises (for example, data centers, corporate-owned servers, system components, and networking systems) environments are vulnerable to several lateral movement attacks, such as malware incursions, phishing attacks, or even brute-force penetration of endpoints. All of these routes give attackers their initial purchase in the network.

Once inside, the threat actors investigate the compromised network, disguise themselves as typical network traffic, and secure higher credentials.

These openings can be minimized by using next-generation firewalls, multi-factor authentication, and other traditional on-premises security tools. However, due to the attackers' ability to leverage valid credentials for greater access, it’s critical to require team members to frequently update user passwords and for security teams to monitor access lists and network traffic to keep these attacks at bay.

In a hybrid environment, though, on-premises is only half the equation; the more difficult access point for lateral movement (for both attackers and defenders) is the cloud.

Vulnerabilities in Cloud Environments

While seemingly a more difficult angle of attack, vulnerabilities in cloud environments can be exploited by threat actors just as thoroughly as — and in some cases cause more damage than — on-premises incursions.

A cloud-based lateral movement attack often begins in a publicly accessible application, such as AWS or another cloud API. These applications cannot be simply firewalled or protected by traditional cyber security means – on-prem compensating controls don’t work in these environments. Through a misconfiguration, foothold credentials (basic, common admin credentials that provide read-only access to a swath of network information), or a brute force technique (combined with poor password security controls), attackers can find themselves with access to your cloud environment; and from there, thanks to the reach of the cloud and features such as Cross Account roles (credentials with access to multiple accounts on multiple environments), spread laterally across your environments and into an on-premises environment.

Lateral Movement Techniques: How Bad Agents Can Move From One Environment To Another

In a hybrid environment, cyber attackers will look for access to both cloud and on-premises servers to expand their foothold and discover multiple avenues to gain initial access to your environment. Ultimately, it comes down to credentials and creative attack paths and exploitation of the permissions and applications that those credentials can open.

Threat actors can move from on-premises to cloud environments and back using a few lateral movement techniques. One popular method is through "pass-the-PRT," (or Primary Refresh Token, or a digital authentication badge), in which an attacker acquires a user's PRT through an endpoint device and uses it to authorize their remote access as that user in nearly any environment. Other types of environment-jumping attacks (known as "north-south" movement) essentially follow that basic structure: penetrate on-premises or cloud network, access cross-environment credentials, move to the next environment, access more of the compromised network and gain greater credentials, and repeat until high-value assets are discovered.

These cross-environment attacks can be thwarted through advanced network segmentation of servers; in other words, limiting the points of access from one environment to another to very specific, highly-monitored paths and accounts. That way it's both harder for an attacker to find the specific credentials necessary for unauthorized access, and if a cross-environment incursion is detected, security teams know where to look.

The Dangers of Lateral Movement Attacks in a Hybrid Environment

Lateral movement is a significant threat in today's cyber security landscape. Often employed by advanced teams of multiple threat actors working together and collaborating on the dark web, these cybercriminals open many potential entry points and gain deep network access (whether it's on-prem, cloud, or hybrid). In some cases, cyberattackers gain initial entry into an environment and then sell that information to others. Whether the goal is espionage, ransomware, or extortion, the attackers are collaborating to exploit whatever vulnerabilities they can find. 

The risk of lateral movement attempts is clear, and something important to consider as more workloads move to the cloud. To increase security, it's important to evaluate security across the board, taking into consideration the requirements for both on-premises security and cloud security. Reviewing how these environments work together is another critical step for any organization seeking to increase their readiness to cyberattacks.

A few security measures and key steps to take in on-prem environments:

  • Keep data center security controls up to date
  • Require frequent passwords changes and enforce password complexity requirements
  • Set up multi-factor authentication for all users in an environment  

In cloud environments, follow these steps to increase security:

  • Use Single-Sign On (SSO) as much as possible
  • Require complex passwords that are regularly updated
  • Review how secrets are stored and change them if there's suspicious activity or a suspected incident
  • Check for misconfigurations in databases, S3 buckets, Azure Blobs, and Google Storage

Regardless of the environment, check for critical vulnerabilities and update them as quickly as possible. Lastly, segment cloud and on-prem environments to make cross-environmental access as difficult as possible for attackers.  

Readiness is essential to preparing for and stopping cyberattacks, whether they occur in on-prem, hybrid, or cloud environments. Assume that your organization will be attacked, don’t wait for it to happen. The time you spend now getting ready for the possibility of an attack due to lateral movement across your environments will increase your resilience before an incident and reduce the severity of impact if or when attackers gain access.  

Mitiga's Whitepaper on Cyberthreats

LAST UPDATED:

November 12, 2024

Don't miss these stories:

EKS Role Unchaining: Tracing AWS Events Back to Pods for Enhanced Security

Learn two approaches for EKS unchaining that allow teams to associate AWS events with the pods that triggered them.

5 Common Threat Actor Tactics Used in Cloud, Identity, and SaaS Attacks

Explore five common tactics used in cloud attacks and recommendations on how to defend against them.

Tactical Guide to Threat Hunting in Snowflake Environments

It was brought to our attention that a threat actor has been observed using stolen customer credentials to target organizations utilizing Snowflake databases.

Unlocking Cloud Security with Managed Detection and Response

See how Mitiga’s Cloud Managed Detection and Response tackles complex cyber threats with proactive threat management and advanced automation at scale.

Rethinking Crown Jewels Analysis: Mitigating Cybersecurity Bias

Uncover the risks of bias in Crown Jewels Analysis (CJA) and learn strategies to protect your organization's most valuable assets with a comprehensive approach.

Microsoft Breach by Midnight Blizzard (APT29): What Happened?

Understand the Midnight Blizzard Microsoft breach by APT29, what happened, and key steps organizations should take to strengthen their defenses.