How lateral-moving attackers blend into the noise of your network

As lateral movement continues, industry pros call for MFA and zero-trust access.
article cover

Metamorworks/Getty Images

· 3 min read

Organizations are noticing some movement—lateral movement—and the machine-to-machine machinations are getting increasingly innovative, according to VMware researchers.

The stealthy traversal of attackers within networks, highlighted in a recent VMware report, is leading to calls for stronger, zero-trust-ier access controls.

“The tactic is now ‘I’m going to try to live within the common noise of your network in order to obfuscate my ability to be detected,’” Chad Skipper, global security technologist at VMware, told IT Brew.

Their move: That noise of the network: the usual system administrator activity, including legitimate functions like the automation tool PowerShell or Remote Desktop Protocol (RDP), which allows admins to troubleshoot and enable access to those working from home.

RDP is the main protocol that attackers are deploying in their lateral efforts, according to Skipper: “They’re using it just like network administrators to remotely log on to other systems. And that’s becoming very difficult: to detect an anomalous RDP session out of thousands, millions a day.”

The worldwide WannaCry ransomware attack in 2017 used the taskse.exe trojan to initiate RDP and execute malware on multiple sessions.

Contexa, VMware’s cloud-based threat-intelligence tool, found that in April and May of this year alone, nearly half of detected intrusions contained a lateral-movement event, with most involving the use of remote-access tools like RDP or PsExec.

VMware defines lateral movement as “a tactic in which an attacker compromises or gains control of one asset within a network and then moves on from that device to others within the same network.” An attacker moving laterally likely wants to find valuable data to exfiltrate it or encrypt it for ransomware.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

And lateral movers have become increasingly sophisticated in their ability to wait and impersonate, do some recon, and compromise business-communication platforms, according to Rick McElroy, principal cybersecurity strategist at VMWare Carbon Black.

“I start to understand who communicates with who; I live in those inboxes,” McElroy said, imitating the threat actor. “And then I can…laser focus on these two people that I know are people who have keys to the kingdom, and I can spearphish them and then get them to do something like give me multifactor authentication.”

One recent example of lateral-movement compromise: After gaining control of a Cisco employee’s credentials via the victim’s browser, an attacker conducted sophisticated voice phishing attacks, posing as trusted organizations and attempting to convince the victim to accept multifactor authentication push-notifications.

Your move: To provide some defense against the lateral, Allie Mellen, senior analyst at Forrester, recommends “zero trust” policies, which the consultancy defines as an information-security model that “denies access to applications and data by default.” Along with leveraging additional defenses like multifactor authentication, Mellen advises “least privilege” access on individual machines.

Such practices, however, are just a few moves compared to an attacker who has plenty of their own. “The innovation in lateral movement from the adversaries and the change and their techniques, tactics and procedures have made the opportunities for defenders very hard to put in place,” said McElroy.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.