In this article I want to highlight one of the tactics used by malicious actors to move within your network - lateral movement. Let’s define lateral movement and review how Stamus Security Platform can help.
This series -- Threats! What Threats? – came as a result of a conversation with my colleague Steve Patton. He believed that we at Stamus Networks weren’t going deep enough to elaborate on what we meant when we mentioned “threats”. He made a good point because while we often talk about threats, we had not yet elaborated on which threats, how they work, and why they are harmful.
Top athletes understand the importance of being able to move laterally to evade a defender or mount an attack on goal. This is why athletes spend countless hours training to improve their lateral agility to gain an advantage.
Similarly, lateral movement allows cyber attackers to move deeper into a compromised environment after gaining initial access, avoiding detection by moving through different hosts.
A threat actor will often gain access to an endpoint through a phishing attack or malware infection, and then use various tools to obtain increased privileges. The attacker then imitates a legitimate user to move through different systems until they reach their desired end goal of finding sensitive data or high-value assets. By employing lateral movement techniques, an attacker might avoid detection for weeks or months after the initial breach.
Lateral movement typically progresses through three stages:
Lateral movement is often very difficult to detect because it has the appearance of normal network traffic. This is achieved using remote access malware tools like Remote Access Trojans (RATs). Because it is very difficult for prevention controls to block lateral movement, the most effective method of defense is early detection.
Stamus Security Platform (SSP) is well equipped to detect lateral movement because it employs a more complete set of detection methods than one-dimensional intrusion detection system (IDS), network security monitoring (NSM), or network detection and response (NDR) solutions. By observing brute force activities, suspicious administrative behaviors, or suspect SMB/DCERP/ICMP/TCP protocol-related activities, SSP can typically detect lateral movement early in the kill chain timeline after initial system access.
In addition, unlike other network security solutions, SSP uses advanced prioritization algorithms to cut through the noise caused by a typical IDS or NSM “alert cannon” – all while retaining the context and evidence needed to understand the complete picture of a given incident. In this way, Stamus Security Platform essentially eradicates false positives, and delivers what we call Declarations of Compromise™ to notify the security team of only the most serious and imminent threats like lateral movement.
So, by searching for anomalies in credential usage, logon failure, app usage, connectivity patterns, port and protocol usage, and connection specifics and details, SSP can detect and prioritize lateral movement attacks and push only the most urgent incidents to the top of your queue. This way the security team can catch threats before they cause substantial damage.
So, next time my colleague Steve asks “why don’t we ever mention the types of threats we’re talking about?” I can thank him and point him to this blog series.
If you’d like to get a live demonstration of Stamus Security Platform or discuss how it might help you detect and respond to threats in your network, please click on the button below to request a demo.