Lateral movement is a cyberattack technique used by threat actors to navigate a network or environment in search of more valuable information after gaining initial access.
Wiz Experts Team
5 minutes read
What is lateral movement in cybersecurity?
Lateral movement in cybersecurity refers to the techniques that cyber attackers use to move through a network in search of key data and assets after gaining initial access. It involves navigating from the initial point of entry to other systems within the same environment to expand the breach's scope and control additional resources.
This tactic is commonly used in advanced persistent threats (APTs) where the attacker aims to remain undetected while escalating their privileges and accessing critical information or systems.
Lateral movement can involve a variety of methods, including:
Exploiting vulnerabilities: Taking advantage of security weaknesses on other systems within the network to gain unauthorized access.
Using legitimate credentials: Stealing or otherwise obtaining credentials of authorized users to access systems without raising alarms.
Pass-the-hash/token attacks: Using captured hash values of user passwords to authenticate to other services without needing the plain text password.
Installing backdoors: Creating secret entry points into systems and networks for continued access.
Common stages of lateral movement
Lateral movement isn't a one-and-done process. It typically involves three stages: reconnaissance, credential dumping or privilege escalation, and gaining access.
Reconnaissance
This is the first step in a lateral movement attack, and it's where attackers get a feel for the network. During the reconnaissance stage, threat actors look around, identifying potential targets and vulnerabilities within the network hierarchies. Cybercriminals might employ a variety of tools and techniques during this phase. Network scanners, such as Nmap or Nessus, are commonly used to map out the network's topology, identify active hosts, and discover open ports and services on various operating systems. These tools can provide a wealth of information about the network, including what software is being used and where potential weak points might exist.
In addition to network scanning, attackers might also engage in social-engineering tactics, such as phishing, to gather valuable information. Cyberattackers may also use web crawlers or spiders to gather information from public websites and social media platforms.
The goal of the reconnaissance phase is to gather as much information as possible to plan the next steps of the attack.
Once they've got the lay of the land, attackers move on to the next stage: acquiring higher-level privileges. This is often done by stealing credentials or exploiting system vulnerabilities. For example, cybercriminals might use a phishing attack, sending a seemingly innocent email that tricks users into entering their credentials on a fake login page. Or they might exploit a known software vulnerability, like a buffer overflow, to gain elevated privileges.
Gaining access
Now that they've got the access they need, attackers can get to the targeted systems or data. They might use their new privileges to get to sensitive data, for instance, by accessing a database using stolen credentials and running SQL queries to extract data. Or they might install malware, like a backdoor, that allows them to maintain a presence within the network and keep control of certain systems. At this stage, security teams need to be especially vigilant to detect any unusual activity such as unexpected remote connections during off-hours, unexplained data transfers, or repeated attempts to access resources that are not normally accessed by the compromised credentials.
By understanding the stages of lateral movement, we can better prepare defenses and respond more effectively when an attack occurs.
When we talk about lateral movement, it's crucial to understand that it can occur both in on-premises environments and in the cloud. However, the method of attack in these two environments can be quite different due to several factors:
Factor
Description
Identity access management (IAM)
In on-premises environments, IAM is often managed through centralized systems like Active Directory. This makes lateral movement a bit more straightforward for attackers once they've compromised a system. They can use the same set of credentials to move around. IAM can be more complex in the cloud due to the variety of services and resources that need to be managed. Unfortunately, complexity can create more opportunities for lateral movement as attackers can exploit misconfigurations or weak policies to gain access to different resources.
Deployments and configurations
On-premises environments often have a static configuration, which means that once attackers understand the network layout, they can plan their lateral movement strategy. On the other hand, cloud environments are dynamic and can change rapidly. The cloud’s dynamism can make lateral movement more challenging to detect as attackers can take advantage of the constantly changing environment to move around unnoticed.
Complex architecture
Cloud environments often have more complex architectures than on-premises environments. With services spread across different regions, availability zones, and VPCs, tracking lateral movement can be a challenge. In contrast, on-premises environments usually have a more straightforward architecture, making it easier to monitor for signs of lateral movement.
Lateral movement techniques in the cloud
Lateral movement in the cloud can take many forms, depending on the resources and services being used. Here are some common techniques:
Exploiting remote services
Attackers often exploit remote services like Secure Shell (SSH) or Remote Desktop Protocol (RDP) to move laterally in the cloud. For example, if an attacker gains access to an EC2 instance in AWS, they could use SSH to connect to other instances in the same network. Once inside the VPC, they can also search for additional remote services that can be exploited.
Abusing valid accounts
Attackers can also move laterally in the cloud by abusing valid accounts. If an attacker compromises a user's credentials, they could use those credentials to access cloud services that the user has permissions for.
Using worms
A kind of malware, worms are named for their ability to self-replicate and spread over a network. For example, in the cloud, a worm could move from one instance to another by exploiting vulnerabilities or weak security settings.
VPC peering
VPC peering forms a network bridge between two virtual private clouds (VPCs). The advantage of VPC peering is that users can route traffic via private IP addresses, but attackers exploit this connection to move laterally from one VPC to another.
Exploiting IaaS/PaaS databases
IaaS and PaaS databases are often used to store private and confidential information. When a threat actor gains access to these databases, they can extract sensitive data or even modify the data to cause disruption.
Exploiting vulnerabilities and misconfigurations
When looking for valuable assets, cybercriminals tend to target the most accessible or vulnerable resources within compromised virtual private clouds (VPCs). The perfect targets are usually vulnerable workloads, such as internal VMs that are accessible over the network, have critical RCE vulnerabilities, and lack stringent security-group rules.
These are only some of the common methods that threat actors may use for lateral movement in the cloud. There are more techniques, including carrying out lateral movement attacks from the cloud to Kubernetes. Understanding these techniques can help businesses develop effective strategies to pre-empt lateral movement.
Approximately 58% of cloud environments have at least one publicly exposed workload with a cleartext long-term cloud key stored in it, whereas about 35% of cloud environments feature at least one publicly exposed workload with a cleartext private SSH key.
Wiz Research Team
Tips to mitigate lateral movement attacks
Preventing lateral movement attacks involves a combination of good security practices and the right tools. Here are some tips:
Implement strict firewalls
Firewalls serve as a barrier to prevent unauthorized individuals from gaining access to your network. Make sure to configure strict firewall rules to allow only necessary traffic.
Remove cleartext cloud and private keys
Cleartext keys are an organization’s weakest point and a goldmine for adversaries. Because the exposed keys are visible to anyone—internal or external—who gains access to the source code, these keys can be used to gain access to even more parts of the system. To reduce risk, remove any cleartext cloud and private keys from all systems and use secure methods for key storage and transmission.
Adopt a private link
Private links can provide a secure connection between different parts of a network, reducing the risk of lateral movement.
Use network segmentation to isolate different parts of a network. This helps to constrict an attacker’s lateral movement abilities.
Remediate critical vulnerabilities
It's important to routinely scan systems for vulnerabilities and patch them immediately to avoid security breaches. Unpatched vulnerabilities can provide an easy path for lateral movement.
Pro tip
The above are just a few mitigation techniques that prevent some common lateral movement scenarios. Other lateral movement scenarios, like jumping from K8 clusters to the cloud require more advanced mitigation techniques.
How to prevent and detect lateral movement in your cloud environments
Because lateral movement attacks rely on stealth, they are by nature hard to spot. Nevertheless, the right strategies and the correct tools simplify the detection and prevention of lateral movement attacks .
Enter Wiz. Wiz is a cloud security solution that provides direct visibility into your cloud environment, prioritizes risks, and offers remediation guidance. It's designed to help development teams address risks in their own infrastructure and applications, allowing them to ship faster and more securely. Check out our demo to learn how Wiz can help you secure your cloud environments by identifying and putting a stop to lateral movement.
Trip up threat actors before they can move laterally
See for yourself why CISOs at the fastest growing companies choose Wiz to harden their cloud environment's internal defenses to stop lateral movement.
Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.
Vulnerability management involves continuously identifying, managing, and remediating vulnerabilities in IT environments, and is an integral part of any security program.
API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.
In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.