Detecting Lateral Movement – Decoding Cyber Threats with MITRE ATT&CK and Proactive Monitoring

23andMe is a personal genomics and biotechnology company based in Sunnyvale, California, and is known for its direct-to-consumer genetic testing kits. According to a blog post posted on its website on October 6, 2023, the company acknowledged falling victim to a credential-stuffing attack on its website. This cyberattack involved using stolen login credentials to enable unauthorized access to the personal identifiable information of numerous users without directly compromising the 23andMe database. A notable aspect of this breach was the exploitation of a feature that allowed users to share their genetic information with relatives. This allowed the attackers to move laterally across connected accounts in users’ genetic family trees, which greatly amplified the breach’s impact.

What is a Lateral Movement Attack

While not a true example of a lateral movement attack, the 23andMe example demonstrates how attackers can move laterally or horizontally from one compromised system to another. Lateral movement relies on ‘east/west’ traffic, which is typically perceived as routine within a network. Users may perform tasks such as checking email, accessing cloud-based applications, and browsing assets internally. This differs from ‘north/south’ traffic, which travels in and out of the network and is subject to firewall and endpoint detection tools.

Lateral movement techniques can vary, but they typically involve exploiting vulnerabilities or weaknesses in a network, system, or application configuration to gain unauthorized access to additional resources. Threat actors may use compromised credentials, employ malware like worms, remote access tools, or take advantage of misconfigurations to move stealthily through the network, making it more challenging for defenders to detect and mitigate their activities. This lateral movement allows an attacker to perform reconnaissance and seek out higher-level privileges or sensitive data access. Attackers have been known to move laterally through a victim’s network for days, weeks, or even months.

Why Lateral Movement Attacks are Hard to Detect

Detecting lateral movement in an attack is a formidable task because it often mirrors legitimate actions when attackers possess valid credentials. This tactic known as living off the land allows the attackers to simply impersonate actual users. This scenario can be likened to an attacker gaining control of a social media account and seamlessly navigating through connected profiles, groups, and content. How does the social media provider go about discerning whether the actions are legit? Even with logging and monitoring in place, these suspicious behaviors can become obscured within the deluge of alerts generated by the many systems of a modern network.

Early Detection is the Key

The unfortunate reality that unauthorized lateral movements are difficult to detect is what makes them a preferred tactic among threat actors. It is estimated that approximately 60% of attacks involve lateral movements, underscoring the need to develop effective identification methods. It is estimated that lateral movements are present in roughly 60% of attacks. Because they are so difficult to discern, early detection is the key. Early detection allows organizations to proactively intervene and mitigate a threat before it progresses further, thereby reducing the potential damage and disruption caused by advanced attacks employing lateral movement techniques.

Basic Tools to Stop or Reduce Lateral Movement

You don’t have to worry about something that never takes place. One way to do that is to employ additional security measures like Multi-Factor Authentication (MFA) to fortify user access. Attackers need valid credentials before they can move laterally throughout your IT estate. MFA mandates multiple forms of authentication which thwarts straightforward credential-stuffing attacks. By implementing MFA, organizations can prevent unauthorized access and mitigate the risk of lateral movement from the outset,

You can also block lateral movements from occurring by dividing your network into separate partitions with micro-segmentation. This segmenting of the network is done using strict access controls that only allow authorized communication between specific segments or workloads. This design helps contain a breach or malware outbreak and prevents further lateral movement between systems.

Real-time Advanced Monitoring and Analysis

While traditional monitoring solutions simply forward vast numbers of alerts and logging events to a centralized team, advanced monitoring solutions today leverage sophisticated tools and algorithms to detect anomalies, such as a user accessing an uncommon application or changes in application rules. They can incorporate behavioral analytics and machine learning to establish a baseline of normal behavior. Any deviation from these baselines then triggers alerts to security teams for further investigation. By scrutinizing patterns and anomalies, these solutions can identify suspicious activities such as unauthorized access, privilege escalation, or unusual data transfers that may signify lateral movement.

While many SMBs may not have the resources to acquire advanced cybersecurity solutions and talent, they are increasingly relying on Security Operation Centers (SOCs). SOCs such as CYREBRO can not only incorporate these advanced tools but also employ dedicated personnel with the expertise to interpret and respond to security alerts effectively. CYREBRO analysts use intelligent monitoring tools to protect business continuity on a 24/7 basis.

Using the MITRE ATT&CK Framework

The MITRE ATT&CK framework provides a comprehensive catalog of known adversary techniques and tactics that provides organizations a way to stay informed about the latest attack methods and lateral movement strategies employed by threat actors and identify them. The framework can be incorporated into risk assessments to evaluate one’s security posture against later movement tactics and incident response plans to accelerate mitigation efforts. Aligning your security controls and measures with documented ATT&CK tactics and techniques enables your digital business to proactively prepare for inevitable challenges, a strategic approach embraced by CYREBRO.

Conclusion

Detecting lateral movement presents a significant challenge for businesses striving to fortify their digital defenses, but because threat actors persistently employ this tactic, dealing with it is unavoidable. In the end, you don’t care if an attack is horizontal or vertical, you just want to safeguard systems and data from threat actors and malicious code. Entrusting your cybersecurity to an experienced MDR alleviates the need to worry about the direction of an attack. Like early cancer detection, timely identification is crucial, and through ongoing monitoring and the integration of frameworks like MITRE ATT&CK, this goal can be achieved.

Sign Up for Updates