What is lateral movement in cybersecurity?
Lateral movement is an attack technique used by threat actors to navigate a network in search of increasingly valuable information after gaining initial access. They may seem like just another user, but in reality cyberattackers are exploiting the interconnectedness of modern networks, probing for valuable assets.
These assets can range from sensitive customer data to proprietary intellectual property. The ultimate objective of lateral movement is to silently locate and exfiltrate this valuable information, making it a highly effective and commonly used method of attack. Lateral movement also serves as a persistence technique, meaning attackers can access the breached network over extended periods— making it challenging for security teams to detect and mitigate.
Common stages of lateral movement
Lateral movement isn't a one-and-done process. It typically involves three stages: reconnaissance, credential dumping or privilege escalation, and gaining access.
Reconnaissance
This is the first step in a lateral movement attack, and it’s where attackers get a feel for the network. During the reconnaissance stage, threat actors look around, identifying potential targets and vulnerabilities. Cybercriminals might employ a variety of tools and techniques during this phase. Network scanners, such as Nmap or Nessus, are commonly used to map out the network's topology, identify active hosts, and discover open ports and services. These tools can provide a wealth of information about the network, including what software is being used and where potential weak points might exist.
In addition to network scanning, attackers might also engage in social-engineering tactics, such as phishing, to gather valuable information. Cyberattackers may also use web crawlers or spiders to gather information from public websites and social media platforms.
The goal of the reconnaissance phase is to gather as much information as possible to plan the next steps of the attack.
How to Manage Lateral Movement Risks in the Cloud
Get in-depth recommendations on how to prevent 3 common lateral movement techniques in the cloud.
Download Now
Credential dumping/privilege escalation
Once they've got the lay of the land, attackers move on to the next stage: acquiring higher-level privileges. This is often done by stealing credentials or exploiting system vulnerabilities. For example, cybercriminals might use a phishing attack, sending a seemingly innocent email that tricks users into entering their credentials on a fake login page. Or they might exploit a known software vulnerability, like a buffer overflow, to gain elevated privileges.
Gaining access
Now that they've got the access they need, attackers can get to the targeted systems or data. They might use their new privileges to get to sensitive data, for instance, by accessing a database using stolen credentials and running SQL queries to extract data. Or they might install malware, like a backdoor, that allows them to maintain a presence within the network and keep control of certain systems.
By understanding the stages of lateral movement, we can better prepare defenses and respond more effectively when an attack occurs.
Lateral movement risks in the cloud and how to prevent them – Part 1: the network layer (VPC)
In this first blog post, we will introduce lateral movement as it pertains to the VPC. We will discuss attacker TTPs, and outline best practices for security practitioners and cloud builders to help secure their cloud environment and reduce risk.
Read more
Lateral movement on-prem vs. cloud
When we talk about lateral movement, it's crucial to understand that it can occur both in on-premises environments and in the cloud. However, the method of attack in these two environments can be quite different due to several factors:
| Factor | Description |
|---|---|
| Identity access management (IAM) | In on-premises environments, IAM is often managed through centralized systems like Active Directory. This makes lateral movement a bit more straightforward for attackers once they've compromised a system. They can use the same set of credentials to move around. IAM can be more complex in the cloud due to the variety of services and resources that need to be managed. Unfortunately, complexity can create more opportunities for lateral movement as attackers can exploit misconfigurations or weak policies to gain access to different resources. |
| Deployments and configurations | On-premises environments often have a static configuration, which means that once attackers understand the network layout, they can plan their lateral movement strategy. On the other hand, cloud environments are dynamic and can change rapidly. The cloud’s dynamism can make lateral movement more challenging to detect as attackers can take advantage of the constantly changing environment to move around unnoticed. |
| Complex architecture | Cloud environments often have more complex architectures than on-premises environments. With services spread across different regions, availability zones, and VPCs, tracking lateral movement can be a challenge. In contrast, on-premises environments usually have a more straightforward architecture, making it easier to monitor for signs of lateral movement. |
Lateral movement techniques in the cloud
Lateral movement in the cloud can take many forms, depending on the resources and services being used. Here are some common techniques:
Exploiting remote services
Attackers often exploit remote services like Secure Shell (SSH) or Remote Desktop Protocol (RDP) to move laterally in the cloud. For example, if an attacker gains access to an EC2 instance in AWS, they could use SSH to connect to other instances in the same network. Once inside the VPC, they can also search for additional remote services that can be exploited.
Abusing valid accounts
Attackers can also move laterally in the cloud by abusing valid accounts. If an attacker compromises a user's credentials, they could use those credentials to access cloud services that the user has permissions for.
Using worms
A kind of malware, worms are named for their ability to self-replicate and spread over a network. For example, in the cloud, a worm could move from one instance to another by exploiting vulnerabilities or weak security settings.
VPC peering
VPC peering forms a network bridge between two virtual private clouds (VPCs). The advantage of VPC peering is that users can route traffic via private IP addresses, but attackers exploit this connection to move laterally from one VPC to another.
Exploiting IaaS/PaaS databases
IaaS and PaaS databases are often used to store private and confidential information. When a threat actor gains access to these databases, they can extract sensitive data or even modify the data to cause disruption.
Exploiting vulnerabilities and misconfigurations
When looking for valuable assets, cybercriminals tend to target the most accessible or vulnerable resources within compromised virtual private clouds (VPCs). The perfect targets are usually vulnerable workloads, such as internal VMs that are accessible over the network, have critical RCE vulnerabilities, and lack stringent security-group rules.
These are only some of the common methods that threat actors may use for lateral movement in the cloud. There are more techniques, including carrying out lateral movement attacks from the cloud to Kubernetes. Understanding these techniques can help businesses develop effective strategies to pre-empt lateral movement.
Approximately 58% of cloud environments have at least one publicly exposed workload with a cleartext long-term cloud key stored in it, whereas about 35% of cloud environments feature at least one publicly exposed workload with a cleartext private SSH key.
Wiz Research Team
Tips to mitigate lateral movement attacks
Preventing lateral movement attacks involves a combination of good security practices and the right tools. Here are some tips:
Implement strict firewalls
Firewalls serve as a barrier to prevent unauthorized individuals from gaining access to your network. Make sure to configure strict firewall rules to allow only necessary traffic.
Remove cleartext cloud and private keys
Cleartext keys are an organization’s weakest point and a goldmine for adversaries. Because the exposed keys are visible to anyone—internal or external—who gains access to the source code, these keys can be used to gain access to even more parts of the system. To reduce risk, remove any cleartext cloud and private keys from all systems and use secure methods for key storage and transmission.
Adopt a private link
Private links can provide a secure connection between different parts of a network, reducing the risk of lateral movement.
All major CSPs offer a private link: AWS PrivateLink, GCP Private Service Connect, Azure Private Link.
Isolate each environment
Use network segmentation to isolate different parts of a network. This helps to constrict an attacker’s lateral movement abilities.
Remediate critical vulnerabilities
It's important to routinely scan systems for vulnerabilities and patch them immediately to avoid security breaches. Unpatched vulnerabilities can provide an easy path for lateral movement.
The above are just a few mitigation techniques that prevent some common lateral movement scenarios. Other lateral movement scenarios, like jumping from K8 clusters to the cloud require more advanced mitigation techniques.
How to prevent and detect lateral movement in your cloud environments
Because lateral movement attacks rely on stealth, they are by nature hard to spot. Nevertheless, the right strategies and the correct tools simplify the detection and prevention of lateral movement attacks .
Enter Wiz. Wiz is a cloud security solution that provides direct visibility into your cloud environment, prioritizes risks, and offers remediation guidance. It's designed to help development teams address risks in their own infrastructure and applications, allowing them to ship faster and more securely. Check out our demo to learn how Wiz can help you secure your cloud environments by identifying and putting a stop to lateral movement.
See for yourself why CISOs at the fastest growing companies choose Wiz to harden their cloud environment's internal defenses to stop lateral movement.
