What is Lateral Movement (Cybersecurity Attack)? – Definition from … – Techopedia

A graphics processing unit (GPU) is a parallel processor that allows repetitive calculations within an application to run simultaneously. GPUs were introduced towards the end of the last century to help central processing units (CPUs) keep up with the huge number of calculations required by… View Full Term
Trending Terms
Techopedia Terms
Subscribe To Our Newsletters
By clicking sign up, you agree to receive emails from Techopedia and agree to our Terms of Use and Privacy Policy.
Don't miss an insight. Subscribe to Techopedia for free.
Lateral movement is a technique that cyber-attackers use to stealthily explore a target network or cloud environment, learn its vulnerabilities and escalate access privileges to reach their target. The goal of malicious lateral movement is to gain access to the target, explore as much of the target as the attacker's access credentials allow and look for other vulnerabilities that can be exploited to escalate privileges. Typically, a malicious actor will look for a misconfigured device, vulnerable software application, or access credential that can be compromised.
Lateral movement plays an important role in security breaches, including advanced persistent threats (APTs). In this type of prolonged attack, the perpetrator remains hidden inside the target for an extended period of time, waiting patiently for the right opportunity to escalate the attack. Security and network monitoring tools will not issue alerts when credentialed entities move laterally across a network or cloud environment because this type of movement appears to be normal behavior. Attackers can remain hidden for years and in some cases, have only been discovered when monitoring tools caught them trying to elevate privileges.
To limit damage from malicious lateral movement, information technology (IT) administrators should:
When malicious lateral movement is detected, IT administrators and security engineers need to revoke the attacker’s access as soon as possible and isolate the compromised network segments.
The incident response team should immediately conduct a forensic audit to determine how the attacker gained access, what digital resources were accessed, and what — if any — damage was done.
The audit process should also review the business rules for securing access privileges and recommend steps to close security gaps that could lead to further damage.
People should think about lateral movement not as an attack in itself, but as a critical phase of an attack where the attacker is seeking out their next machine or identity to compromise after they gain their foothold.
Ideally the attacker would like to compromise an identity with administrative privileges (a privileged identity), but this is not always possible so they have to move around to find ways to achieve these privileges by reaching an identity that has what they need.
They may do this by:
Lateral movement plays an important role in many types of cyberattacks, including business email compromise (BEC), spear phishing, and whaling. In these types of social engineering exploits, the attacker will initially try to steal a high-ranking employee’s identity, relying on the idea that executives are more likely to have administrative privileges than lower-level employees. If this strategy doesn’t work out, they will simply look for an easier way to gain access from a less privileged identity and then use their new credentials to continue the attack incrementally.
The wide-spread adoption of Software as a Service (SaaS) and hybrid cloud infrastructures has increased the number of identities that IT administrators need to manage and secure. Unfortunately, the probability of those identities being compromised has grown as well. In a distributed IT infrastructure, line of business (LOB) managers are often tasked with access management for their department’s niche Software as a Service (SaaS) applications. Unless mechanisms are put in place to ensure visibility into cloud access permission levels, it can be difficult (or even impossible) to know when accounts are over privileged. Another issue is that cloud-based Identity and Access Management (IAM) tools themselves can also be compromised and used to conduct an attack.
While prevention is ideal, companies must also do what they can to limit the blast radius. One of the challenges that these teams face is a lack of visibility. Even when an organization is using an Identity Governance and Administration (IGA) or Identity Provider (IdP) tool, it can be difficult to understand access activity by peer-to-peer access provisioning, non-federated identities (those not in Okta, Azure AD, Ping Identity) and orphan credentials left behind by employees who have changed roles within the organization or moved on to another job.
A formal discovery plan for malicious lateral movement can help administrators to set enforceable policies that right-size access and continuously monitor for privilege sprawl. The discovery plan should improve visibility by answering the following questions:
If IT administrators and LOB managers want to beat attackers at their own game, they need to start thinking like an attacker. Right now, defenders generally follow lists of best practices and compliance regulations to improve their security. The problem is that attackers who are using lateral movement don’t think in terms of lists – they think in terms of graph theory. Their plans don’t involve checklists. They are more like maps that show how the attacker can move laterally from the initial compromise (Point A) to a fairly low-level target (Point B) and use Point B to gain access to the final target (Point C). They care little about the process, just the results.
Share this Term
Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
Latest Articles
By: Justin Stoltzfus | Contributor, Reviewer
By: Devin Partida | Editor-in-Chief for ReHack.com
By: Kuntal Chakraborty | IT Engineer
By: Kaushik Pal | Contributor
Techopedia™ is your go-to tech source for professional IT insight and inspiration. We aim to be a site that isn’t trying to be the first to break news stories, but instead help you better understand technology and — we hope — make better decisions as a result.
Copyright © 2022 Techopedia Inc. – Terms of UsePrivacy PolicyEditorial Review Policy

By clicking sign up, you agree to receive emails from Techopedia and agree to our Terms of Use & Privacy Policy.
Techopedia is a part of Janalta Interactive.


Leave a Comment