It has been almost a month since my last MITRE ATT&CK Tactic-focused entry, and I apologize! When we discussed Discovery, we saw many ways adversaries explore the target environment after Initial Access. Depending on the threat, that information might be used for any number of malicious goals. Threat actors locate files and credentials of interest and uncover details of defenses and configurations. They could learn compromising information about a victim. Many aim to gain illicit access into victim’s financial or intellectual property. Almost every threat actor plans on expanding their reach and to pivot throughout an environment. This “lateral movement” allows the attacker to spread activities out, impact more systems, and achieve even greater levels of persistence. Whether a cyber adversary or an invading army, lateral movement is essential to many other goals or tactics. So let’s take a look at how the ATT&CK tactic of Lateral Movement works!

The Importance of Lateral Movement

Defenders lack resources and they must react to many adversary behaviors. When an attacker expands their front, it imparts stress and uncertainty to that defender. Some activity may be overt, and that alone may cause strain. With the sophistication of attackers increasing, however, they haunt defenders with the very real possibility that they are missing some activity. What is going on that they don’t know about? Where else does evil lurk? While focusing on the known areas of compromise, what does that do to weaken as-of-yet uninvolved areas of the environment?

Lateral Movement (TA0008) is a group of techniques that an adversary deploys to gain access to and control any additional systems in the target environment. Attackers without Lateral Movement cannot hope to impact their victims. Traditional warfare would see the defenders quickly encircle the invaders and repel them more often. And for cyber warfare it is no different. Adversaries without must compromise any targets remotely, one at a time. This is noisy, cumbersome, and in many cases impossible.

“We’re paratroopers, lieutenant – we’re supposed to be surrounded”

As I began writing this on the anniversary of D-Day (6 June 1944), I think it is probably fitting to look at how lateral movement was critical to the Allies invasion. As we mentioned in the Discovery piece, the landing of infantry and insertion of airborne troops was far from perfect. Strong currents took Higgins Boats far from their intended landing zones. Excessive flak (anti-aircraft fire) and winds forced frightened pilots to drop paratroopers far from assigned landing zones and at excessive speeds. Despite this, Allied forces managed to think on their feet and take what circumstances handed them. Captain Richard Winters (of 101st Airborne and HBO’s “Band of Brothers” fame) delivered the quote in the heading above. Lateral movement is assumed. It was always part of the plan.

Lateral Movement takes time, but it sure helps the attacker become extremely difficult to unseat.

Even had they been on-target, defeating the German defenses depended on the Allies ability to rapidly pivot and expand the number of control points that they held before defenders could rally. The success of any attack hinges greatly on the momentum and positions carried by either side. As much chaos as the Allies were coping with, the German forces were now beset by the same confusion and ill-prepared to match the dynamic on-the-fly nature of the Allied forces.

Improvisation is key in lateral movement

We’ll start the war from right here.

Brigadier General Theodore Roosevelt Jr., upon landing at the wrong location on Utah Beach

Each force in the invasion had multiple objectives laid out before them, both ranked by importance but also offering options to ensure room for improvisation. While the forces landing were largely in disarray, the decentralized command structure empowered junior officers and non-commissioned officers (NCOs – a.k.a. corporals, sergeants, and the like) to act on the objectives attainable, rather than be too prescriptive. In doing so, the attackers/invaders were able make inroads and pivoted to secure many objectives deemed vital to holding their beachhead. Because all leaders in the invading force were aware of the major objectives and their relative importance, they were able to piece together forces to take important gun positions, capture strategic crossroads, and eliminate fortifications that threatened the allied positions.

Cyberattack Lateral Movement is no different

Much as Allied forces relied on lateral movement to achieve their objectives, so must any threat actor. As many a coach or military leader might say, “you have to take what the opponent will give you.” In cyber attacks, this usually means that initial access is rarely on the system they desire, but rather that some work and ingenuity is required to pivot and ‘earn’ their way into those systems. Even less-protected environments rarely see domain controllers or databases directly accessible to the Internet. Without Lateral Movement, ransomware operators like Conti or espionage outfits like Turla would be ineffective and their threat to defenses limited.

Threat actors seek high ground within the environment much like their traditional forebears. Domain controllers, database servers, web applications, or infrastructure devices all offer control points of interest. Many of these systems provide privileged access that is golden to sustained attacks – much like the capture and use of supply lines in a traditional conflict! Others are the end objective – capture or compromise of these objectives means victory. That may mean different things to different attackers. Stolen information, disrupted services, tainted data, or frustrated users are all end goals for different groups.

Lateral Movement: taking what they give you

MITRE ATT&CK assigns a relatively succinct list of 9 techniques to Lateral Movement. While direct (and detectable) paths might be tempting, they use many techniques to gain that access. Some of these are more covert than others, and it is rare to see a single technique used exclusively.

Lateral Movement may seem limited in Techniques, but there is a lot of room for innovation in each.

Several of these techniques are similar to Initial Access methods. Looking at you, Remote Service Session Hijacking (T1563), Remote Services (T1021), and Exploitation of Remote Services (T1210)! Why are they here again? Well hopefully defenders closed those ports and protocols to outsiders, blocking them outright with a firewall or limiting their exposure using an ACL. But maybe they have utility inside the environment itself! Once another Initial Access method is successful, the adversary looks just like a legitimate inside user on a trusted system.

Use Alternate Authentication Material (T1550) is hijacking on another level. In this case the adversary is taking advantage of the authentication mechanisms in place to use any domain tools or LAN-level privileges normally limited to authenticated users, administrators, etc. Exploiting remote services is bad, but those are (hopefully) rarely enabled everywhere. The same cannot be said for admin-level PowerShell, wmi, net, and SMB use.

Any of the above techniques can be fed or enhanced by Internal Spearphishing (T1534). This technique can be used to both steal credentials outright or hijack session cookies and tokens.

Sometimes attackers are happy with just pivoting using LOLBins, but in some cases they bring payloads with them. Lateral Tool Transfer (T1570), Software Deployment Tools (T1072), Tainting Shared Content (T1080) and Replication through Removable Media (T1091) are all ways to deliver that payload on the inside.

How can we stymie Lateral Movement?

Lateral Movement can be tricky to stop, so the key is to blend strong policy and hardening of systems with a well-monitored detection approach. Some of the most universal mitigations are common sense, but they can be painful without well-bounded scopes and buy in from stakeholders:

  • Endpoint behavioral and execution prevention are vital to most effective defenses. These engines detect and prevent the running of scripts with abnormal strings or switches in use.
  • System hardening nips malicious protocol or service abuse in the bud. Turning off unneeded services and limiting those that remain to very narrow use cases is the single most important measure. While you are at it, consider turning off autoruns and protecting across new hardware (USB devices, NICs) to close those holes as well.
  • Strong authentication and account privilege management are critical. Add phish-resistant MFA, clamp down on privileges (both by user and location) and continually monitor both user and service accounts.
  • Verify everything before allowing it to come into your environment. Sandboxing, using threat feeds, scanning for vulnerabilities, and ensuring patches are applied will cut down on the opportunities for an exploit to land on a vulnerable system.
  • Segment the environment! Consider not just L2/L3 network segmentation, but division of responsibilities, segmentation of access, the use of bastion hosts, and the prohibition of work & play support from a single browser or system.

Balance these with detection capabilities. Network Detection & Response (NDR) tools, system logs processed in an XDR or SIEM, and adjacent detections of low prevalence executables, odd transfers, and the like will be canaries in the coal mine.

Conclusion

Where many of the preceding tactics offered a lot of variance, Lateral Movement tends to be more narrowly focused on using whatever is available to hop to another system. This usually means the propagation of a payload or the repeated use of favored LOLBins or remote services. While these may be tough to prevent, we have lots of behavioral means by which to detect them. This may seem easy, but two questions arise: 1) do you have the knowledge necessary to understand that behavior is bad? and 2) once lateral movement is identified, what do you do to remediate it effectively?

The German High Command struggled with both of those questions in the time following D-Day. The German Army had innovated greatly in the first years of the war, but now found themselves out-hustled and out maneuvered by a more agile and dynamic allied invasion. Their forces were crippled by the loss of important roads and railway exchanges. Even if they did have an accurate picture, they lacked any plan to respond. Their air power was outmatched and their field commands hampered by a reliance on Hitler’s direct commands to alter plans.

Screenshot showing TinyTurla NG's typical operation flow in early 2024.
TinyTurlaNG, a lateral movement heavy operation run by a Russian APT, is full of LOLBins and detectable TTPs. We only need to listen!

Cyber defenders don’t have to fall victim to this. Look at TinyTurla NG’s operational flow above. We’re not moving troops or gaining & losing real estate here, we’re defending digital environments where the line between success and failure comes down to using what you have. 43 mitigations exist in MITRE’s ATT&CK database, and well over half of those are present in your environment’s own systems (OS, infrastructure, etc.). Are they dormant? And of the detection or data sources, are you listening to them? Most of what even a major APT is using against us is detectable or preventable (or both). Disrupt them!

I hope this long-awaited blog post is useful to you – please let me know what you think and feel free to weigh in in the comments! Have a great week!