Cyber Explainer: Lateral Movement

This covert, low-and-slow threat marks the start of dwell time and indicates an upcoming attempt at exfiltration

lateral movement cyberthreat

In this new series, “Cyber Explainer,” Interset breaks down the five most damaging types of threats facing enterprises, then details the five most effective cyberattack methods criminals use to exact them. For this fourth installment, we look at lateral movement, an indicator that an intrusion is growing in scope. 

What It Means
After an account has been compromised, privilege may be escalated—that greater access can facilitate lateral movement. Navigating sideways, thieves penetrate deeper into a network. In contrast to a targeted attack, they methodically dig around for attractive assets, credentials, and data. This recon phase frequently precedes exfiltration, and marks the start of cyber dwell time.

Where You’ve Seen It
The recent panic about ATM cash heists stems from reports of bank hackers using lateral movement to access cash machines. For instance, in the July 2016 attack on the Taiwanese First Commercial Bank, hackers breached the financial institution’s London branch through a phishing scam that helped them gain access to its intranet. Through a series of systematic, lateral movements (see illustration, below), they ultimately stole money from ATMs, where criminal associates would retrieve the cash.

How to Stop It
“Strategic attacks typically have a creative human at the helm of an attack to properly (and quietly) navigate the internal network to find the truly valuable data,” Security Week writes of lateral movement. Where rules-based solutions, such as SIEMs, will likely distract security teams with false positives, real lateral-movement threats can be caught quickly with analytics. The latter is accurate, because it baselines entity activity (such as users, machines, servers, IP addresses) in a multidimensional manner. In other words, it observes not just the behavior of an individual entity, but also how that entity interacts with other entities. Add in machine learning—which will process countless data logs—and the analytics grow even more nuanced in pinpointing anomalous actions inside the enterprise.

LEARN MORE Why machine learning is key to impactful threat detection and intelligence