Catch me if you can

Would you spot lateral movements on your network?

Cyber Security Incidents that lead to unauthorised access can be caused by a wide range of attacks, some of which could be specifically crafted against an organisation, industry or region. If this is the case, the intrusion attempt becomes a targeted attack. Motivation for targeted attacks and the attacker’s goals as well as the tools and techniques that are used can vary significantly depending on the threat actor. However, it is more interesting that the actions taken by attackers once they have gained unauthorised access to a network are often the most difficult to identify using industry standard detection techniques. To understand why this is the case it’s necessary to look at these attacks in more detail.
At a high level, targeted attacks can broadly be split in two main groups:

CNA: Computer Network Attacks, where the goal is to disrupt or destroy information on the targeted network (sabotage)
CNE: Computer Network Exploitation, where the goal is to collect intelligence from the targeted network (exfiltration)

In this article we will focus on the latter leaving discussion of CNA for another article.

A Computer Network Exploitation (CNE) operation is built upon three core phases that based on our experience can be spread over one or more years:

Infiltration: a set of actions that lead an attacker to establish a foothold in the targeted network
Aggregation: the collection of targeted information from the compromised network
Exfiltration: the method of removing the aggregated information from the targeted network to a system owned by the attacker

While the methods employed by threat actors differ, these three broad stages of operation are observed across the vast majority of these attacks. As a result it is possible to discuss the actions that are left open to an organisation in broad terms, depending on which phase the attack is in.

If a CNE attack is detected during one of these three phases it means that the attacker has access to the targeted network and a set of Cyber Incident Response actions can be adopted to respond and contain the breach. We will move on to look at each of these in more detail as the “lateral movement” that is the focus of this article is right at the heart of these phases.

If a CNE is detected after these three phases have been completed the attacker has, most likely, already removed the information of interest to them and the value of the Cyber Incident Response plan alters. Containment actions cannot be implemented as the exfiltration phase has already been completed and the targeted company has already most likely lost its Intellectual Property due to a failure in the detection of the attack at an earlier stage.

In this situation a Post-Breach Investigation is required to conduct root cause analysis, to define the compromised domain and perhaps identify the type of the information lost and the extent of the exfiltration phase. All of this information is important when defining a well-organised remediation plan. It is also worth emphasising that whilst the information may be gone, the attacker probably isn’t and is likely to be maintaining access ready for when the organisation generates new information or assets of interest to them.

If we are therefore going to understand the key aspects of detecting attacker activity during one of these three phases we need to look at them in more detail. Let’s start with the infiltration into the network.

The infiltration phase of a CNE attack can be broken down into two macro phases:

Automated activity

The initial foothold is generally gathered through the usage of automated or off-the-shelf tools that could range from well-known malware to ad-hoc Remote Access Trojan (RAT) software. This type of malicious software is usually delivered by leveraging social engineering techniques or through the exploitation of client-side vulnerabilities in the organisation’s software. There will usually be some manual tailoring of the attack, against a specific individual but even this may only be after a more general and automated campaign of attack has failed.

Manual Activity

Once the initial foothold is acquired, a set of manual actions are generally conducted by the intruder with the goal to aggregate and exfiltrate information. These actions usually fall under the term of lateral movements and are what we are interested in here.

In this context a lateral movement is typically defined as an attack where the source and destination are both inside the targeted network. These actions will generally be completed to give the attacker access to a number of internal systems, either to obtain further privileges or access to more sources of data. Lateral movements could often go undetected because they don’t always involve exploitation techniques, particularly when the attacker is simply accessing systems a compromised user already has access to.

For this reason they usually tend to be confused with the normal activity that is seen on a corporate network. When moving laterally the intruder will often use compromised credentials or security tokens already issued to a user to jump between systems. The most common methods that are observed is the use of Windows Remote Desktop or simply by mounting shares on network file servers or other key systems.

As most of the IT security controls that are deployed by organisations focus on inbound infiltration methods, such as the use of proactive measures to protect against software exploitation, lateral movements that tend to leverage common communication channels usually go undetected.

So given this fact how can we improve our security posture against lateral movements?

In this situation, it is important to apply a defense-in-depth approach to ensure that security controls are deployed on both the network and the host. These will need to complement each other and will rely on policy, technical controls and operating procedures to be most effective. It is often useful to map these to the intrusion kill chain as it is a useful tool to visualise and communicate these issues within your organisation.

Inside today’s complex networks it is necessary to first define what the organisation’s key assets are, what their value to the business is and to ensure that they are subject to the best protection. Once you have done this, protecting them may mean segregation of these assets as well as adopting the mindset that loss of minor assets or groups of assets is acceptable in an effort to protect those of the greatest value.

This risk based approach, including the reduction in attack surface and hiving of information is another discussion and not one to focus on here. Protecting against lateral movement that may take an attacker towards your key assets will always be more effective if that step has been taken first. However, if we accept that premise as valid, let’s focus on the lateral movement itself and how it can be prevented.

Firstly it is also important to know what normal-behavior inside your network looks like, alongside a clear understanding of the network topology and patterns of data flow. The flow of data along unexpected paths inside the network is often a key method of spotting data gathering and assimilation activities.

To ensure effectiveness of any controls, a good set of policies for log management and retention is fundamental. This will help to increase networks and systems’ visibility through receiving and correlating relevant logs across IT systems.

A very strong set of correlation rules on a SIEM can also help but always remember it’s a component of the solution, not the solution in itself.

Network Intrusion Detection Systems tend to not detect these sorts of lateral movement unless an in-depth approach is used while defining the rules. However, they can be tuned to fire on unusual situations encountered during lateral movement rather than purely exploitation or exfiltration attempts. This is typically easier to do when the potential threat actors have been identified so their standard methods of operation can be anticipated. However, don’t expect this to be easy.

It can also be helpful to map the development of rules and signatures in either an IDS or SIEM to a specific stage of the kill chain to ensure that there are a good number of rules that spread along the chain and give you the best possible opportunity to spot activity. 
There are also a specific set of countermeasures that can be put in place to decrease an attacker’s effectiveness in performing lateral movements.

This can be achieved through the implementation of well-defined hardening guidelines on hosts, servers and network devices. However, this isn’t about rolling out generic hardening guidelines and hoping for the best. It needs detailed review of key components such as Active Directory structure, user roles and privileges, availability of security tokens on end user systems and other aspects of workstation lockdown. The attackers thrive on the gaps unintentionally or intentionally left in these areas so you have got to do lock-down and hardening that’s specifically tailored to your organisation.

Network segregation is also a key control that if done well can be used to detect lateral movement. That doesn’t mean simply dropping firewalls into your network and hoping the problem is fixed. It needs you to understand legitimate traffic flows and identify exceptions or anomalies. Again, this isn’t easy but is possible with the right approach.

On top of all these technical controls it is very important to implement good processes to ensure that anomalies are promptly reported to well-trained Security Analysts for further evaluation and assessment and that once a Security Incident is declared a specific life-cycle is applied till closure.

So how best to summarise these challenges?

Detecting lateral movements within a corporate environment can be very challenging and for this reason these type of security incidents could go undetected for a long time depending on the type of IT security controls that are implemented, the maturity level of the attack detection capability and the sophistication of the attacker. 
Based on a number of statistics and using our own experiences, most of CNE attacks are usually detected after a significant amount of data has already been exfiltrated. This means that detection mechanisms are right at the end of the kill chain when the attacker has already achieved their objective.

It is important to increase the overall security posture of the company to develop detection mechanisms for earlier stages of the kill chain. This will give enough time to Cyber Incident Responders to implement containment actions before the attacker’s objectives are achieved. Also a global approach to security enhancement will help to improve lateral movement detection as well.

The amount of resources that are required to develop and enhance detection mechanisms for earlier stages of the kill chain can be substantial. This involves not only the enhancement of technical controls but also the development of processes and education of people. For this reason a methodical approach has to be adopted which involves a threat modelling of the environment including key asset identification and consequently the development of a well-defined set of processes and technologies that are limited in number but at the same time effective for your environment.




MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
As a Certified Simulated Attack Manager and Certified Simulated Attack Specialist, MWR are authorized by CREST to perform STAR penetration testing services.