Why Malicious Threat Actors Use Lateral Movement

Malicious threat actors generally have one primary goal in mind, and it can vary from one hacker to the next. Some reasons why cybercriminals use lateral movement to gain access to a network include:

• Accessing a developer's work device to steal intellectual data, such as a project's source code
• Reading an executive's emails for company information to manipulate the stock market or steal banking information
• Obtaining credentials or escalating privileges
• Stealing customer data from the server responsible for hosting payment card information (PCI)
• Gaining access to some other type of asset or payload

Regardless of the reason, a bad actor's main objective is to compromise the system and move through a network that contains what they want.

3 Crucial Stages of Lateral Movement That Threat Actors Exploit

There are three stages of lateral movement used in most cyberattacks:

1. Reconnaissance. During this initial stage, the attacker explores and maps the business’s network, devices, and users. They use this stage to get to know the company’s network hierarchies, host naming conventions, various operating systems, location of potential payloads, and further intelligence to make any additional moves throughout the system.
2. Credential dumping and privilege gathering. To move through any network with minimal-to-no-detection, a threat actor needs valid login credentials. The commonly used term for illegally obtaining network credentials is “credential dumpling.” One way cybercriminals do this is by fooling users into sharing their credentials via phishing attacks and typosquatting.
3. Gaining access to other communication and computing points in the network. Once inside the network, the attacker can repeat the process, bypassing security controls to thwart and compromise successive devices until ultimately detected and stopped.

What Lateral Movement Does for a Threat Actor During a Cyberattack

Lateral movement gives the threat actor the ability to avoid detection and response by a company's security teams. With this free movement throughout a network and lack of detection, they can retain access, even if the IT team recorded the system's or machine's initial infection.

Lateral movement allows an extended dwell time for the threat actor, allowing them access to a system for weeks or months after the initial breach. It is a trap that gives the company's detection and response team a false sense of security, causing everyone to let their guard down, leaving the system open to data theft.

The Best Defenses Against Lateral Movement

Lateral movement manifests and presents as obvious, anomalous network activity, making it suspicious to vigilant IT teams right away.

For instance, if a device or computer that usually communicates with a select few other devices and their users starts randomly scanning the network, it is time to take note and prepare to respond. Any activity out of the norm is worthy of a response. Even if it is not a clear lateral movement scenario, it is better to investigate and dismiss it as an organic aberration in the course of business than taking the risk of letting it pass.

It is difficult for cybersecurity teams to do this while performing core business and other daily activities. They need a reliable and dynamic application that monitors how their network applications communicate, allowing them to provide vulnerability exposure insights.

With all the necessary observations and information, the application takes control of container software, for example, as well as bare-metal and virtual machines to provide network security to stop threat actors before they gain access, preventing them from lateral movement and administrative privileges.