Today's attackers rarely conduct lateral movement manually.
For attackers, lateral movement is an exercise in taking what they are given: They are not moving throughout the network according to some sort of preplanned map, but following open pathways wherever they may lead. Rather than taking significant leaps into the heart of the network, attackers will make small hops, following open pathways to infiltrate any area of the network available to them.
As a result, today's attackers almost always use automated processes to conduct this type of reconnaissance.
If the automated process recognizes a key piece of infrastructure during one of these small hops, it will report back to the attacker to let them know something potentially valuable has been identified.
Ultimately, the goal is to hit every device in the enterprise - after all, the more devices an attacker captures, the greater the odds of finding something valuable.
Since most attacks today involve ransomware, data theft, or both, access to large volumes of data to steal or encrypt is critical.
Attackers don't move laterally just for the heck of it - they're doing it with a goal in mind.
In the beginning, that goal may be to simply compromise as many devices or areas of the network as possible, but as attack activity progresses, defenders can begin to look for evidence of intent.
This is just one example, but it's indicative of the sort of activity that often accompanies lateral movement through a network.
Some security solutions won't alert on encryption if only a small number of files are affected, and as a result, attackers have caught onto the fact that if they encrypt only a small amount of information at a time, they can often escape detection.
What's more likely is that the employee is engaging in fraudulent activity, or that their identity has been compromised and is being used by an attacker.
Monitoring for encryption is one of the most effective ways to identify an adversary moving laterally through the system and engaging in small attack activities as they go.
If the same anomalous activity is observed on multiple devices - especially if it is within a relatively short window of time - that's a good indicator that attackers are moving laterally from endpoint to endpoint.
When the automated processes engaging in lateral movement find something noteworthy, they send that data back out to the attacker.
If something within the network is sending the same type of data burst from several different endpoints - and it's not coming from a known and approved application - that should raise a red flag.
Certain small hops might not set off alarm bells on their own, but if they're happening too frequently the security team needs to be alerted.
Breach and attack simulation solutions and automated red teaming can imitate the tools and tactics that attackers favor to see whether security solutions are functioning properly - and if they are not, they may be able to recommend ways to improve them.
Even attackers are no longer manually conducting their incursions, instead opting to use tools that allow them to make countless small hops designed specifically to avoid detection.
Security teams have neither the time nor the resources to manually comb through hundreds of pages of network logs to look for this activity themselves - they need solutions in place that can provide them with real-time alerts when an attacker begins engaging with multiple devices, encrypting information, exfiltrating data, or any of a thousand other micro-activities.
Given the volume of activity on today's networks, abnormal behavior can sometimes be lost in the background noise, but a well-calibrated - and well-tested - SIEM that can draw conclusions based on massive amounts of input can make sure defenders have the information they need stop adversaries before they can escalate their attacks.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 13 Dec 2023 16:13:18 +0000