Specops - Password and a lock

Lateral movement attacks involve moving ‘sideways’ from one device, application, or account to another within a network. Once an attacker gains unauthorized access to an organization’s network, lateral movement allows them to move stealthily and undetected towards their goal, whether that’s data theft, a ransomware attack, or other malicious activities. 

These attacks can be challenging to detect because they often start with stolen credentials and appear as normal network traffic. Attackers can then collect information and escalate their access and privileges, making detection even more difficult.

Organizations need to detect and remove intruders quickly to prevent data loss and minimize the impact of lateral movement attacks.

How do lateral movement attacks work?

A lateral movement attack typically starts with three stages.

  1. Reconnaissance: The attacker observes and maps the target network. They gather information about users, devices, operating systems, and potential vulnerabilities. 

  2. Credential theft: Obtaining valid login credentials to move through the network is a key step. Attackers may trick users into sharing credentials through social engineering, using keylogging tools to steal credentials directly, or even purchase already-stolen passwords from a dark web marketplace.

  3. Gaining initial access: Once the attacker has access to legitimate credentials, they can simply log into the network. They repeat the process of reconnaissance once within the network to plan how to move laterally towards their target. The goal from here is to keep moving and gain further access and privileges. 

Real-life case: U.S State Government breach

A recent real-life example of a lateral movement attack involved a U.S. State Government organization's network being compromised using a former employee's leaked credentials. The attacker successfully authenticated into an internal virtual private network (VPN) using the ex-employee's credentials.

From there, they gained access to a virtual machine and blended in with legitimate traffic to avoid detection. The attacker then escalated their privileges by accessing a separate administrator account and exfiltrated sensitive data.

Lateral movement played a crucial role in this attack, as the attacker was able to evade detection and expand their access into more systems. Once inside the network, the attacker used the compromised virtual machine to access a set of credentials stored in a virtualized SharePoint server.

These credentials had administrative privileges to both the on-premises network and the Azure Active Directory.

With these additional credentials, the attacker was able to explore the victim's on-premises environment and execute queries against a domain controller.

Why are compromised credentials key for hackers? 

Credentials and passwords play a crucial role in lateral movement attacks. Attackers aim to get hold of valid login credentials, as this means they can access an organization’s system without raising any alerts or suspicion.

It’s this initial foothold that gives them the chance to explore the network, access sensitive data, compromise additional hosts, and escalate their privileges

Stolen credentials provide attackers with their platform for persistence and long-term access to the network. Once inside, they can impersonate legitimate users, gain administrative access, and move laterally to other systems.

This persistence allows them to maintain control, continue their activities, and carry out further attacks over an extended period.

Interested to know how many of your end users are using breached passwords right now? Run a read-only scan of your Active Directory with our free auditing tool: Specops Password Auditor

How attackers steal credentials 

Attackers have various techniques and tools for stealing passwords. Here are four popular methods.

Social engineering: There are several social engineering techniques hackers can use to steal credentials like phishing or typosquatting. The goal is always to trick users into willingly sharing their passwords. 

Keyloggers: Attackers deploy keylogger programs through phishing emails containing malicious links or infected files. Once installed on a victim's device, keyloggers record every keystroke made and send that information to the attacker. This includes passwords and login credentials.

Pass-the-ticket: After using tools like Mimikatz to extract Kerberos authentication tickets, attackers can authenticate without needing a user's password. In a pass-the-ticket attack, malicious actors intercept and reuse Kerberos tickets to impersonate a legitimate user. 

Pass-the-hash: Attackers can capture an authenticated hash of a password and use it to log in to local and remote devices, as well as virtual machines. This gives them unauthorized access to systems without needing to decrypt the hash. 

How to defend your organization 

There are several steps organizations can take to reduce the likelihood of being the victim of a lateral movement attack:

  • Implement strong password policies.  For example, encouraging end users to create random passphrases over 15 characters in length 

  • Enforce multi-factor authentication for all user accounts

  • Regularly update and patch systems and software to eliminate vulnerabilities

  • Security and awareness training to educate employees about phishing attacks and social engineering tactics, 

  • Monitor network traffic and use intrusion detection and prevention systems to detect and block suspicious activity, and analyze logs for signs of lateral movement

  • Use threat hunting techniques to proactively search for hidden threats 

  • Implement network segmentation to limit the lateral movement capabilities of attackers

  • Have an incident response plan in place to quickly detect, investigate, and remediate any potential breaches

Secure your Active Directory against compromised credential

One of the most important steps you can take against lateral movement attacks is to check your Active Directory for known compromised credentials.  Specops Password Policy with Breached Password Protection runs daily checks of your Active Directory against our database of over 4 billion compromised passwords.

This includes passwords from known leaks, our real-time attack monitoring system that monitors live brute force attacks, plus malware-stolen data from our human-led Threat Intelligence team. 

Compromised credentials are golden opportunities for hackers – so take away their favorite attack routes.

Get in touch and speak to a Specops Software expert about enhancing your password security..

Sponsored and written by Specops Software.

Related Articles:

Why (and how) threat actors target your Active Directory

Why IT service desks can be open targets for threat actors

Why Passphrases are Safer and Easier than Passwords

How to meet evolving MFA demands in the current threat landscape

City of Wichita shuts down IT network after ransomware attack