Information Security

Lateral Movement attack Review

What is Lateral Movement attack?

For those are not familiar with Lateral Movement attack, it normally an attack that related to cyberattack techniques that used whenever they successfully gain initial access in order to go deeper within the network. The main purpose to look into any sensitive data and any high-value assets that the server holds.

In order to avoid detection and retain access, the lateral movement will allows the threat actor to infected the machine where it’s hard to detect on another infected machine because it will be discovered on the first machine been infected.

Phishing attack or malware infection can be done to gain initial access to an endpoint device where the attacker will try to fool the device such as impersonates a privileged user/legitimate user and infected another system via the internal network.

List of Method and Technique used by attackers

  1. Reconnaissance

On this phrase, the attacker will gather information on the system and network and the attackers will also observe the network traffic especially users and devices.

Normally, they will need to analysis and try to understand the network and server infrastructure where the information such as host naming conventions and network hierarchies and clarify the operating systems that the victim is using.

Once the attacker gains a full understanding of the infrastructure, they will create malware or trojan to penetrate into the firewalls and any other protection that the organization or victim used.

The tools that they will use for this activity would be something as follows:

  1. Netstat
  2. Ipconfig/Ifconfig
  3. ARP Cache
  4. Powershell
  5. Local Routing

2. Privilge Escalation

For the attacker to compromise the network or system, they will go through to access it via valid login credentials. There’s a lot of ways to obtain credentials such as social engineering and crack the password which it will take some time to crack it.

Aside to social engineering and cracking, there is a few more method that the attacker will use as follows:

  • Pass the Hash 
  • Pass the Ticket 
  • Tools like Mimikatz 
  • Keylogging tools 

Recommendation for Lateral Movement attacks

For the organisation to minimize the damage of lateral movement, there is a few recommendations that can be followed as mention below:

  • The system administrator will have to enforce to all organisation’s staff used to be configured as standard users account. Aside from that, all applications admin will have to log in to the system or application with their standard accounts as normal practice.
  • A normal user should be granted to access to the system, applications or data without the permission of the administration or top management.
  • The application will need to be monitor via log where the system administrator will aware of any malicious attempts been made to the system.
  • Nowadays, Multi-Factor Authentication is a must within an internal system, application and data in order to restrict access based on the risk associated with system and activity. However, this will lead to frustrating users and annoying users but for this should be implemented for the system’s security.
  • An organization will need to implement a very solid Password Policy Management where it requires to follow best practice.
  • An organization should be implementing Threat and Advanced behaviour Monitoring including user behaviour so that the result will come out very accurate and easy to detect on the compromised account activity