What is Lateral Movement and why it is so important to stop it
Once an attacker has managed to penetrate the network and overcome common defenses, he is behind the firewall and, depending on the attack scenario, invisible to the Endpoint Protection you have rolled out to protect your company. Now that this security “baseline” is no longer capable of specifically exposing the intruder, you need to rely on an additional complementary security layer. Our approach is to intercept the hacker already in his lateral movement phase and send him to our protected Decoy servers.
Lateral movement is a technique used by an attacker after gaining access to the network. This could happen through a phishing mail or even malware.
In the first phase, the Reconnaissance Phase, the attacker observes and examines how the network is structured and the hierarchies are set up. To reach the desired location in the network, various tools are used to reveal vulnerabilities or paths, how it can best and quickly move or spread.
After the intrusion, in the Credential Dumping and Privilege Escalation Phase, the hacker moves through the network piece by piece in a targeted manner to gain more user privileges to get to the target location of his attack.
Once he has managed to gain admin rights, he is in the Gaining Access Phase and it is now even harder to identify lateral movement between devices and apps as it acts like normal network traffic. What makes it so difficult is that it is not a standardized attack, but a chess game in which the attacker adapts move by move, planning what the next steps will be and bypassing security mechanisms.
What can be done about Lateral Movement?
Deception offers a solution where “lures” tailored to your organization are rolled out to critical nodes and endpoints. As soon as an attacker tries to move through your network, these lures remove him from the production network and redirect him to a decoy server that resembles your corporate servers. From this point on, the attacker can be monitored without causing any damage.
Our mission is to establish another security layer and thus radically shorten the time of an attacker in the network. Up to now, the time until the identification of the intruder has been measured as 100 – 180 days – we want to set this time to 0 in the optimum case.
About the author
Felix LĂĽttich
Sales Director of Central and Southern Europe at CYBERTRAP
f.luettich@cybertrap.com
Recommended reading: What is Deception Technology?
