Why Decryption is Necessary for Detecting Lateral Movement

Once an adversary gains access to an organization’s network, they move laterally to compromise valuable internal systems. However, many security teams struggle to detect this lateral movement, unable to see attackers hiding behind internal communications protocols and legitimate administrative tools — a stealthy technique that enables them to blend in.

Under the cloak of routine network activity, threat actors are able to maximize dwell time, giving them a greater opportunity to escalate privileges, gain administrative control, and successfully carry out their attack.

Consider Salt Typhoon, the Chinese state-sponsored threat group responsible for compromising the network infrastructure of major U.S. telecommunication and internet service provider companies over the last year.

To remotely execute malicious commands and stage data for theft, Salt Typhoon leverages C2 communications that use application layer protocols, such as web protocols over encrypted channels and legitimate web services, seamlessly blending in with normal network traffic.

The Key to Detecting Hidden Threats 

Stopping sophisticated threats like Salt Typhoon demands continuous, deep visibility into all network traffic. However, encryption and the use of legitimate administrative tools create a pervasive blind spot where adversarial activity can remain concealed.

ExtraHop shines a light on these dark hiding places. Learn how ExtraHop decrypts and analyzes traffic in real-time to eliminate this critical security gap below.