Imagine a thief breaking into an office building. He pries open a window, tumbles inside, and finds himself in a small room with a desk and file cabinets. The office building itself is vast. The room that the thief has landed in is just one of hundreds.
Is that thief going to limit his search for plunder to the single room he happens to be standing in? Of course not. He’s going to prowl around as much of the building as he can, searching for the most valuable items he can find without being caught.
Cybercriminals do the same thing. They use information on compromised computers to compromise and gain access to additional accounts and computers, a technique known as lateral movement.
What is network lateral movement?
Attackers gain access to a single endpoint and perpetrate whatever mischief they can on it. Then they go exploring, seeking to discover what other endpoints and systems that first endpoint or its user has access to.
They scan the compromised endpoint for credentials for applications and other endpoints. Using any credentials they find, they move stealthily from endpoint to endpoint, from device to device.
If their goal is to implant malware such as ransomware, they’ll probably do that on each endpoint they reach. If their goal is stealing information, they’ll likely keep a low profile and search for endpoints with any information they consider valuable. That information could be customer records, bank account information or intellectual property.
The extent of damage in an attack depends on how broadly the attacker can move around the network. Curtail lateral movement, and you will have greatly limited the damage that an attacker can do.
To limit lateral movement, it’s helpful to understand how it works.
Lateral movement depends on permissions for users, groups and endpoints
Let’s assume that an attacker has gained access to an endpoint, which might be a personal computer (PC), a Mac or a Linux server. Perhaps the employee in charge of that endpoint has clicked a phishing message and inadvertently downloaded malware. Or perhaps the attacker has used some stolen username or password combinations to gain access to the endpoint.
One way or another, the attacker has logged in and is now active on that initial endpoint. Where the attacker can go from there largely depends on the permissions available to the account that has been compromised.
How network lateral movement works
Let’s say that the attacker has gained access to Jim’s laptop and is logged in through Jim’s standard user account. Jim also has access to the admin account for his laptop, so the attacker uses Jim’s user account to log in as admin.
As an admin, the attacker has full control of Jim’s laptop. There’s a good chance that the admin account has permissions to access other endpoints, too, since IT organizations often create admin accounts that are shared across endpoints.
Now, using the admin account, the attacker can move from Jim’s laptop to Sarah’s desktop system. If Sarah is the member of a user group for other endpoints, the attacker can log in as Sarah and use that group permission to access all the endpoints accessible to that group.
If an attacker notices that Luis is logged in on one of those endpoints, the attacker might use malware to read Luis’s login credentials from the endpoint’s memory. Then the attacker can access any endpoint that Luis or any group that Luis belongs to can access. If Luis has permission to the Windows domain admin account, the attacker can use that account to access all the Windows computers in the company.
Account by account, endpoint by endpoint, attackers move across the network in this stealthy way. They might move slowly over many hours or days to avoid calling attention to their work. Or they could move more rapidly, hoping to traverse the network as far as possible before the IT organization detects their activity and takes action to stop them.
Best practices for preventing lateral movement
Since attackers depend on user and group permissions to move across networks, one of the best practices is to limit user and group permissions.
It’s important to understand which user and group permissions have already been established. Many IT organizations think they know how user and group permissions have been set up, but audits of actual permissions often reveal surprises.
For example, in one company, the default permissions configuration accidentally gave every user access to an admin account. Therefore every user was controlling all company endpoints.
So, double-check. Audit your user and group permissions so that you really understand what risks exist in your organization’s permissions settings.
Limiting user and group permissions
Next, limit user and group permissions as much as possible. Give users just the permissions they need to do their jobs. Limiting access to other users, groups and endpoints makes it much harder for attackers to move from account to account — even if they manage to take over an endpoint.
Think back to our example of a thief breaking into a building. If the thief found that most interior doors were locked and that elevators and stairwells required passcodes, the losses from the break-in would be minimized.
Restricting user and group permissions works the same way. Having taken over an endpoint, an attacker might think they’ve hit the jackpot, but once they discovered restricted permissions, they’ll soon realize they’ve hit a wall.
Lateral movement is an essential technique for cybercriminals. By monitoring and restricting permissions for users, groups, and endpoints, you can make that technique far less effective.
Learn more about how Tanium can help your organization defend against lateral movement in our previous post, 5 Ways Tanium Impact Helps Businesses Guard Against Lateral Movements in Cyberattacks.