Lateral movement is one of the most consequential types of network activity for which organizations need to be on the lookout.

After arriving at the network, the attacker keeps ongoing access by essentially stirring through the compromised environment and obtaining increased privileges (known as “escalation of privileges”) using various tools and techniques.

Attackers then use those privileges to move deeper into a network in search of treasured data and other value-based assets.

As such, lateral movement is an important approach that differentiates today’s advanced persistent threats (APTs) from traditional cyberattacks. It’s a sign of a threat actor that’s sophisticated enough to work towards avoiding detection and retaining access even if its presence is discovered on the machine that it first infected.

With this extended dwell time, the threat actor might not begin pilfering data until weeks or even months after the original breach occurred.

Network Knowledge: The Key to Beating Lateral Movement

In order to defend against lateral movement, it’s important to understand what the environment should look like, how it is managed and how it can be set up for optimal operations.

Having a security baseline that’s tied to the critical information security controls is of paramount importance in that effort. Indeed, as hardware, software and other assets deviate from their secure baselines, these changes become clear indicators of whether something is out of compliance with its “golden image.”

But what processes should you use to maintain the configurations? What is the process going to be for ongoing monitoring for change in these devices?

As an example, say that your router deviates from its baseline configuration. You need to be able to identify what those changes were in order to figure out if they’re part of suspicious activity on the network. Regardless of whether they’re benign (Read more...)