To detect lateral movement, organizations need to identify abnormal network activity, map lateral movement paths, analyze user behavior and verify unknown devices. If left unnoticed, lateral movement can often lead to data breaches and the loss of highly sensitive data. Organizations can prevent lateral movement within their network by enforcing least privilege access, implementing zero trust, segmenting networks and investing in a PAM solution.
Continue reading to learn more about lateral movement, how it works, how to detect it and how to prevent lateral movement within a network.
What Is Lateral Movement and How Does It Work?
Lateral movement is a technique cybercriminals use to move deeper within a network after gaining initial access. Cybercriminals use lateral movement to infect multiple devices and accounts, maintain ongoing access throughout the network and gain increased privileges to access sensitive data. They rely on an organization having poor Privileged Access Management (PAM) in which privileges are improperly tracked or assigned.
Cybercriminals will first gain access by stealing login credentials or exploiting security vulnerabilities. Once cybercriminals have gained access to an organization’s network undetected, they try to escalate their privileges by infecting other devices within the network, stealing login credentials of privileged users and bypassing authorization with privileged accounts. Cybercriminals move laterally across the network until they gain administrative-level privileges to control the entire network and gain access to valuable assets.
How To Detect Lateral Movement
Cybercriminals try to remain hidden when accessing and moving laterally across a network. However, organizations can detect lateral movement by using real-time monitoring of user and network behavior. Here are the ways organizations can implement real-time monitoring to detect lateral movement within their network.
Identify abnormal network activity
The main way cybercriminals try to remain undetected is by turning off security settings and antivirus software. To identify lateral movement, organizations should look for abnormal network activity such as changing security settings, connections to external ports, usage of abnormal protocols and unusual traffic activity on the network. If an organization notices any of these abnormal network activities, a cybercriminal has most likely compromised a privileged account with administrative privileges.
Map lateral movement paths
Organizations need to map out lateral movement paths to easily identify if any lateral movement is present in their network and understand if privileged accounts have been compromised. They need to look at their data infrastructure and list out potentially targeted accounts such as accounts with privileged access, poor authentication and mismanaged privileges. Organizations should also look for other vulnerabilities that could lead to lateral movement.
Analyze user behavior
Organizations should analyze user behavior to detect lateral movement. They need to look out for any abnormal user behavior such as:
- Multiple login attempts of privileged accounts
- Abnormal login times, locations and devices
- Unauthorized access to highly sensitive data
- Unauthorized file-sharing
Verify unknown devices
Some organizations require their employees to use their own devices to do their jobs. This can result in many unknown devices connecting to an organization’s network of systems and resources. However, organizations should not implicitly trust every device that connects to their network. They need to verify every unknown device that connects to their network to ensure that none of the devices are used by a cybercriminal. They should verify the owner of the device and monitor its activity to confirm it is from an employee, not a cybercriminal.
6 Ways To Prevent Lateral Movement
Although organizations can detect lateral movement within their network, it can be difficult to remove unauthorized users depending on how many devices have been taken over by cybercriminals. Organizations need to prevent cybercriminals from gaining access to their network and moving laterally through it. Here are six ways organizations can prevent lateral movement.
Enforce least privilege access
The principle of least privilege is a cybersecurity concept that gives users just enough network access to the information and systems they need to do their jobs, and no more. By implementing least privilege access, organizations limit access to sensitive data and protect it from misuse. Least privilege access reduces the potential pathways for a security breach and prevents lateral movement. If a user’s account is compromised, the cybercriminal is limited to the privileges of that user and cannot gain further access to the organization’s network
Implement zero trust
Zero trust is a security framework that requires all users and devices to continuously verify their identity and restricts their access to network systems and data. It eliminates implicit trust and assumes every device has been compromised. Zero trust is based on three principles:
Assume breach: Zero trust assumes every user trying to get into an organization’s network – human or machine – could be compromised and lead to a security breach.
Explicitly verify: Under zero trust, all humans and machines must prove who they say they are before they can access an organization’s network and systems.
Ensure least privilege: When a user is granted access to an organization’s network, they are only given enough access to do their jobs, no more and no less.
By following a zero-trust framework, organizations can reduce their attack surface and prevent cybercriminals from gaining initial access to their network. Zero trust also makes it harder for cybercriminals to move laterally without being detected.
Multi-Factor Authentication (MFA) is a security protocol that requires more than one authentication factor to access an organization’s network. An authentication factor can be something a user knows, something they have or something they are. When MFA is enabled, users typically provide their login credentials along with an additional form of identification such as a one-time code.
Organizations should require MFA for privileged account access to provide an additional level of security and ensure that only authorized users are allowed to access these sensitive accounts. Requiring MFA protects organizations from lateral movement since cybercriminals can’t provide the additional authentication needed to access privileged accounts.
Network segmentation divides and isolates parts of the network to control who has access to sensitive information. These segments are tailored to the needs of the different users and can only communicate with each other for business functions. Segmenting networks limits access to the entire network and prevents cybercriminals from moving across the network. Organizations can also create micro-segmentations which are isolated parts of the network within a segmented network.
Keep software up to date
Cybercriminals will try to gain initial access to an organization by exploiting security vulnerabilities found within the organization’s security infrastructure. Often, they look for vulnerabilities found in outdated software. Organizations should keep their software up to date to patch security flaws and add security features that better protect their devices. This will reduce the opportunity for lateral movement.
Invest in a PAM solution
A PAM solution is a tool that manages and secures accounts with permission to access highly sensitive data and systems. With a PAM solution, organizations have full visibility into their entire data infrastructure and can control how much access each user has to sensitive data. A PAM solution can also give organizations insight into an employee’s password practices. Organizations can ensure employees are using strong passwords to protect their accounts and only share passwords with authorized users.
Prevent Lateral Movement With Keeper®
Lateral movement can be difficult to deal with if an organization has poor privileged access management. If left unattended, cybercriminals can gain privileged access to highly sensitive data and steal an organization’s most valuable assets. To prevent lateral movement, organizations need to invest in a PAM solution to implement least privilege access and zero trust security.
With a PAM solution, organizations can manage their privileged accounts, monitor who is accessing sensitive data and implement security measures to protect sensitive data. KeeperPAM™ is a zero-trust and zero-knowledge privileged access management solution that combines Keeper Enterprise Password Manager, Keeper Secrets Manager® and Keeper Connection Manager®. It helps organizations reduce their attack surface and protect their sensitive data from the damage caused by lateral movement.
Request a demo of KeeperPAM to prevent cybercriminals from using lateral movement to steal your sensitive data.