With Australian and international authorities calling out lateral movement incidents multiple times this year, it’s clearly an area where improvements are being urgently sought.

A key trend to gain momentum this year was the issuance of multi-country-led advisories outlining the tradecraft of threat groups striking both Australian and allied targets.

Two of these – the living off the land (LOTL) advisory of February, and the analysis of Australian organisations breached by APT40 – dealt with the issue of lateral movement, a post-exploitation activity during which a threat actor tries to compromise adjacent IT systems.

The interest in LOTL techniques was driven by their use by “state-sponsored APT actors in compromised environments”, in particular to create snapshots of a target’s Active Directory database. “The successful execution of this technique provides the APT actors with escalated privileges, facilitates lateral movement across the network, and enables their persistent access to critical systems and data,” the advisory noted.

Meanwhile the APT40 advisory, at least from a lateral movement perspective, analysed the “use of remote services including Remote Desktop Protocol (RDP) and SMB/Windows Shares” in two known incidents in Australia attributed to the group.

The focus on lateral movement – and particularly techniques to limit the availability of these pathways – is important to containing an attack and the fallout impact from it.

Infiltrating an environment is typically not the end goal for a threat actor. Nor is lateral movement for that matter, but it is the primary vehicle used to escalate an attack to achieve the actor’s end goal, whether that’s to gain privileged access to systems or to access and/or exfiltrate data.

To a cyber threat actor, lateral movement means all the difference between compromising a single asset and potentially navigating through an enterprise to establish a persistent presence.

The challenge for cybersecurity professionals is to detect and block unwanted lateral movement before the threat actor navigates to the next asset, ultimately creating a path to privileged access.

Strategies to detect and prevent lateral movement

As threat actors become more proficient at evading traditional defences, organisations must adopt advanced detection techniques to ensure lateral movement after exploitation is rapidly detected and mitigated.

By understanding the symptoms of unauthorised lateral movement, deploying intelligent monitoring solutions, addressing paths to privilege, and adhering to identity security and vulnerability management best practices, organisations can significantly reduce the likelihood of successful lateral movement by a threat actor.

While not exhaustive, four indicators of compromise can suggest inappropriate lateral movement.

The first of these is unusual authentication patterns, such as unexplained logons to systems, either outside business hours or from unexpected locations, logon attempts to systems not typically accessed by the identity, privileged authentication attempts without MFA, or authentication requests for applications and commands not approved for privileged or standard user access, including, ones used in living off the land attacks.

The second major indicator is privilege escalation requests. This could include attempts to access privileged accounts or use of privileged commands from non-administrative accounts; sudden changes in user privileges, or the appearance of new administrative accounts; or access to sensitive data and sensitive assets from privileged accounts that should normally not have any interaction with a system.

Other indicators of lateral movement include those described by authorities in their advisories: a sudden spike in traffic between systems that do not usually communicate; unexpected use of remote access protocols; or use of system tools in an unusual manner, potentially indicating a LOTL attack.

Detection of lateral movement increasingly falls to advanced techniques that leverage artificial intelligence, behaviour analysis, and real-time monitoring to detect lateral movement. From a tooling perspective, this may include some combination of identity-based behavioural analytics, endpoint detection and response, network traffic analysis and deception technology.

Identity-based behavioural analytics – enabled by an identity threat detection and response (ITDR) solution – is particularly useful in establishing baselines of normal behaviour for human and non-human identities, and then detecting deviations that might indicate lateral movement.

While detection is crucial, prevention should be the ultimate goal. This requires a combination of proactive security measures, including zero trust, network segmentation, least privilege access, and continuous monitoring.

To protect against lateral movement attacks, organisations need to deploy an identity governance program with good hygiene and runtime, identity directory services, and a strong privileged access management (PAM) solution (which includes privileged accounts and session management, also known as PASM).

PAM is about enforcing least privilege – ensuring that identities, accounts, users, and machines operate with the minimum privileges necessary to perform their functions. This reduces the blast radius if an account is compromised by limiting potential for authentication and lateral movement into adjacent systems. PASM, on the other hand, is about the frequent rotation of credentials, or dynamic generation of secrets. Its deployment means the threat window for which an account can be compromised via stolen credentials is time-limited.

In addition to this, all non-human integrations and privileged accounts should be managed and monitored for potential abuse that can occur during lateral movement.

While not an exhaustive list of strategies and approaches, taking some or all of these actions represents a strong starting point to improve the prevention, detection, and response to many types of lateral movement attacks.