Identifying Lateral Movement on Your Device Network

Modern businesses face a barrage of cyber threats from malicious actors seeking to gain unauthorized access. But sometimes, the cyberattack is coming from inside the network.

Threat actors don’t always launch an attack when they gain access to a victim’s network; they sometimes lie in wait, moving laterally around the network. Maybe they failed to compromise a user or system with privileged access. Or, perhaps they want to locate sensitive information they can exfiltrate.

Threat actors often use lateral movement to explore and expand control over the network, often by compromising additional systems, escalating privileges, or stealing sensitive data. The challenge for security and IT teams is lateral movement can involve multiple stages and methods, making it challenging to spot and detect. This is further compounded when organizations have a broad, diverse attack surface comprising traditional IT and connected devices.

What is Lateral Movement, and How Does it Work?

Lateral movement is a technique used by threat actors to navigate across a device network after gaining initial access. A threat actor can gain initial access to a network in multiple ways: bypassing security measures, exploiting software vulnerabilities, or compromising internet-exposed IoT devices. Once inside, the goals are to establish persistence, find valuable data, such as intellectual property, or elevate their access to have more control. After all, threat actors can’t attempt to extort a business without data or access to use as leverage.

To obfuscate themselves, threat actors use stolen credentials to mimic legitimate users and mask malicious activity from security or IT teams. Threat actors traverse different operating and remote systems using tools native to the network (called living off the land or LOTL), like Remote Desktop, PowerShell, or Active Directory, which can appear as normal network traffic. According to the 2024 IBM X-Force report, 80% of attacks use Active Directory to perform lateral movement and privilege escalation.

While lateral movement is tricky to spot, there are some key indicators:

• Unusual activities on user accounts that don’t align with normal behaviors.
• Unauthorized access to domain controllers or attempts to escalate privileges.
• Suspicious activities that involve legitimate tools for illegitimate purposes, e.g., using PowerShell commands to connect to other machines on the network using remote commands.
• Usual network traffic can indicate IoT device security risks, including sudden data transfer rates, unusual protocols, or connections.

Implementing targeted network segmentation and leveraging machine learning to identify anomalies can make it easier to spot indicators of lateral movement early on. Monitoring connected device security can help detect threats before they escalate into full-blown persistent threats.

Stages of Lateral Movement

Security teams can better safeguard their device network by understanding the common stages and indicators of lateral movement. This is especially important in environments with a vast array of connected devices, as they can quickly create an expansive attack surface that is challenging to monitor.

1. Initial Access and Reconnaissance

While lateral movement encompasses the activities a threat actor takes once they are inside the network, the first stage is gaining access. Common methods for initial access include brute-forcing security controls such as multi-factor authentication (MFA), exploiting critical vulnerabilities, or compromising IoT devices accessible via the public internet. When devices on a network are publicly accessible, they can be discovered by internet scanning tools, which threat actors use to identify targets.

Once inside the network, the threat actor may perform internal reconnaissance, scanning the network to find critical assets.

2. Credential Dumping and Privilege Escalation

Sometimes, threat actors have access to legitimate user credentials exposed in a public data breach. They may also trick users into clicking on a phishing link and inputting their username and password on a malicious website.

Other times, they wait until they have access to the network and use credential dumping to extract valid user credentials from memory, services, or files on the network. For example, threat actors can use tools like Mimikatz to extract Windows credentials from memory or check places where credentials are stored, such as the Local Security Authority Subsystem Service (LSASS) in Windows, or cached credentials stored for single sign-on (SSO) purposes.

After gaining initial access, the threat actor may start with the same low-level privileges of a regular user, limiting their ability to access sensitive data or more critical systems. To access more valuable assets, they often attempt to escalate their privileges and obtain administrator access.

To do this, they typically look for misconfigured permissions, access control lists, or service accounts that may allow low-privilege users to access higher-level commands or sensitive files. For example, the Mirai Botnet, which targeted IoT devices like routers and IP cameras, would scan the network and compromise other vulnerable IoT devices to infect as part of the bonnet.

3. Gaining Access and Persistence

The final stage of lateral movement sees the threat actor use the credentials and privileges they’ve obtained to access critical systems that had previously been outside their reach.

During this stage, the threat actor may attempt to connect to other devices on the network. This might include accessing domain controllers or other critical infrastructure components. The goal is to maintain persistent access and administrative privileges while avoiding detection.

Notably, in early 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory regarding threat actor Volt Typhoon targeting the networks of U.S. critical infrastructure services. Volt Typhoon used a combination of lateral movement and LOTL techniques to maintain persistent access and lie-in wait within the network.

What types of Cyberattacks Use Lateral Movement?

Lateral movement is a crucial element in sophisticated cyberattacks. It allows threat actors to navigate through a network to enhance their level of access and the impact of their attack. Some examples include:

• Ransomware: Ransomware attacks use lateral movement to quickly spread malware across the network, ensuring a broad impact and increasing the likelihood the business will pay a ransom demand to regain access to their data.
• Espionage (corporate or nation-state): Threat actors use lateral movement in espionage attacks to gather sensitive information or intellectual property. The goal is to remain undetected as they exfiltrate valuable data for prolonged periods.
• Data Exfiltration: Lateral movement in data exfiltration involves transitioning smoothly across multiple network segments to locate and extract high-value information. Data exfiltration attacks can also end in ransom demands where the threat actor threatens to release the information if a ransom is not paid.

Preventing and Detecting Lateral Movement

Security and IT teams should focus on preventing lateral movement where possible and quickly detecting it in the event that a sneaky threat actor worms their way inside the device network. As a best practice, teams should monitor for the telltale signs of lateral movement—usual logins or attempts to escalate account privileges, unexpected use of legitimate tools—but there are other steps they can take to further secure their network.

Modern businesses often have a sprawling attack surface of traditional and IoT devices. To best secure their device network, security teams should layer together key controls that help protect both traditional and connected devices.

1. Network Segmentation: If a threat actor gains access to your device network, you want to limit their ability to move around. Using targeted segmentation to divide your device network into smaller networks limits the exposure to potential threats and makes securing IoT devices easier based on exploit vectors.
2. Device Discovery and Inventory Management: A critical step for any security program is to create an inventory of all network-accessible devices. This foundational step provides insight into which IoT devices or systems are discoverable and identifies software or hardware vulnerabilities.
3. Monitor Network Traffic and Device Behavior: All devices on the network, especially IoT devices, should only communicate with well-known IP addresses in well-understood ways. Implementing continuous monitoring enables the detection and response to emerging threats in real-time. Both high-volume and low-and-slow exfiltration techniques should be detectable.
4. Robust Access Control Management: Access to the device network should be limited to only authorized personnel, and personnel should only have the level of access required for their jobs. Regular audits and monitoring of user accounts can help identify usual behavior.
5. Vulnerability Management and Patching: Both traditional IT and IoT devices should be monitored for critical vulnerabilities. Teams should prioritize reporting vulnerabilities that require immediate attention to minimize the greatest threats to the device network.
6. Implement Endpoint Protection and Harden Devices: Similar to network segmentation, hardening your devices involves disabling unnecessary services in IoT devices, e.g., SSH, and Telnet. This limits what external services and devices can communicate with your device network.

Employing these strategies not only disrupts potential persistent threats but also reinforces the integrity of your network.

How Asimily Helps Prevent and Detect Lateral Movement

Security teams have a lot on their plate. To facilitate the speed at which modern businesses operate, they support expansive device networks of traditional and IoT devices. They must also defend those same device networks against stealthy attacks like lateral movement— it can be challenging for any team.

By partnering with a security vendor with purpose-built IoT security software for monitoring and management, teams can help secure the totality of their device network. The Asimily platform is designed expressly with IoT devices in mind. Asimily’s inventory and vulnerability detection capabilities are built to monitor traffic to and from IoT equipment and proactively identify remediation steps, which are validated by real-world scenarios.

In the event of a cyberattack, our platform, with its rapid response features, quickly detects anomalous behavior in the network to aid incident responders. With Asimily, teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.