Lateral movement is a type of computer network activity that involves the lateral transfer or unauthorized movement across a network from one computer system to another. It is a technique commonly used by an attacker to gain access to further systems on a network or network segments once a computer is compromised, allowing malicious actors to further traverse a network. Lateral movement can cover a variety of activities, such as authenticating to an already compromised system, running local exploits or developing new ones, increasing privileges, and proxying network connections.
Lateral movement is often accomplished through two common methods: pass-the-hash and pass-the-ticket. Pass-the-hash is an attack in which an attacker captures the hash value for a user’s password (usually through a phishing attack) and uses it to authenticate to other systems on the network. Pass-the-ticket is an attack in which the attacker captures the user’s Kerberos ticket-granting ticket (TGT) and uses it to authenticate to other systems on the network.
Common lateral movement methods also include remote execution of code, file manipulation, task creation, WMI manipulation, and service manipulation. Lateral movement techniques vary depending on the security posture of the target network, but all attempts to discover and move laterally across a target network require some type of reconnaissance. Once a foothold is established, it is possible to move into sensitive systems and steal sensitive data or launch additional attacks. As such, lateral movement is a key focus of network security monitoring and is a stage of activity for an attack to be identified and responded to.
Defending against lateral movement requires a comprehensive security approach, including multifactor authentication, segmentation of privileged accounts, secure patching, and monitoring of lateral movement attempts by using advanced analytics and threat intelligence. Companies should be sure to audit all system activity for suspicious behavior and to look for commonly used malicious attack vectors within their environment.
