Lateral Movement terminology refers to a technique by which cybercriminals move around a network once they have gained access.
Indeed, the attacker, through malware or phishing attacks, tries to gain access to a computer system, but this is only the beginning of his work. When he manages to get hold of the credentials of an authorized user, he begins to move to go deeper and deeper into the network, accessing different resources.
Moving thus always connected and disguised as an authorized user, he is able to access further privileges by actually traveling in the compromised system from one resource to another through different remote access tools. It must be borne in mind that each network can have access points that are more vulnerable than others so, the attacker just needs to discover one because, once inside, thanks to the Lateral Movement, he can reach even those areas more inaccessible from the outside.
Whatever the goal, the cybercriminal knows how to exploit vulnerabilities well so as to be able to really access anywhere and therefore represents a serious threat to security officers, who must direct their efforts to search for warning signs to identify a intruder in the network.
How a Lateral Movement attack works.
An attack of this type generally begins with a sort of reconnaissance and collection of information on the target, which allows to know the structure of the network to be attacked and all the information useful to move within it. Credentials are then required: to do this, criminals often use phishing and social engineering techniques aimed at sharing this confidential information.
Having credentials and privileges then allows the attacker to move within the systems, moving sideways between different devices, apps and accounts, bypassing security checks until he is identified. In fact, thanks to Lateral Movement, an attacker is difficult to identify and can remain within the compromised system even for very long periods, even if the security officers have identified an intrusion and the access point.
How to identify the Lateral Movement.
This type of attack detects by identifying obvious but anomalous actions performed by network devices. In practice, anything that goes beyond normal activity should arouse suspicion and be thoroughly investigated. Let's think for example of a machine that suddenly begins to communicate with many devices with which it never communicated before.
However, it is not easy to be able to identify this type of anomalies since the systems are too often clogged with false safety warnings, so much so that, perhaps even poorly trained operators, risk not taking them into account. These are mostly minor warnings, which rarely really indicate an attack is in progress, and are therefore ultimately underestimated.
Lateral Movement Prevention and Defense.
Prevention is confirmed as the best weapon available to combat cyber attacks. Preventing Lateral Movement is possible through proven techniques such as micro-segmentation, which prevents the spread of the threat by isolating applications and resources. To minimize risks, it is always necessary to adopt secure passwords, keep the software updated and provide users with the minimum privileges to operate avoiding that they can access more than what is really needed to carry out the assigned tasks.