In the ever-evolving landscape of cybersecurity, lateral movement remains one of the most underestimated tactics utilised by attackers. While organizations often focus on securing their perimeters, the internal pathways that attackers exploit to move laterally within networks are frequently forgotten. This oversight can have devastating consequences, as lateral movement is a critical phase in an attack, enabling the attacker to escalate privileges, access sensitive data, and deploy malicious payloads.

Why Lateral Movement is Overlooked

Lateral movement is often overlooked when considering the steps an attacker will take. Many security tools are designed to monitor and protect the network’s perimeter, leaving internal interactions between hosts less scrutinized. This gap in visibility allows attackers to navigate networks undetected, turning a single compromised endpoint into a full-scale breach.

Statistics highlight the prevalence of lateral movement in successful cyberattacks. For instance, over 70% of breaches leverage lateral movement techniques, underscoring its critical role in the attack lifecycle.

Techniques for Lateral Movement

Attackers employ a variety of techniques to achieve lateral movement, often adapting their methods to the target’s infrastructure and security measures. Some of the most common techniques include:

1. Exploitation of Unpatched Systems: Unpatched vulnerabilities are a goldmine for attackers. For example, the infamous MOVEit Transfer vulnerability (CVE-2023-34362) allowed attackers to exploit SQL injection flaws, enabling lateral movement across affected networks. Unpatched systems remain a significant risk, as they provide attackers with easy entry points to escalate their access.
2. Credential Harvesting: Techniques like Pass-the-Hash allow attackers to reuse stolen credentials to authenticate themselves without cracking plaintext passwords. This method was notably used in the 2013 Target data breach.
3. Abuse of Remote Services: Protocols like Remote Desktop Protocol (RDP) and Server Message Block (SMB) are often exploited for lateral movement. Attackers misuse these services to gain unauthorized access to systems and move deeper into the network.
4. Living Off the Land: (Discussed in this very blog here) By leveraging legitimate tools like PowerShell and Windows Management Instrumentation (WMI), attackers can blend in with normal operations, making their activities harder to detect.

Strengthening Defences Against Lateral Movement

To mitigate the risks associated with lateral movement there are some fairly standard recommendations to implement as an organisation such as Network Segmentation, Zero Trust approach etc, but perhaps the most important one is making sure you regularly update and patch your environment.

Obviously at Innoculator we are admittedly biased on this point! From our experience however, it is too often the most neglected option organisations focus on and is in fact the one that will deliver the most “bang for your buck”. By focusing on getting your vulnerabilities patched, you are greatly limiting an attacker’s options once they have gained entry. And by forcing them to use “noisier” techniques, you are helping find the attackers quicker.