back caretBlog

When They're Already Inside the Walls: How to Detect and Stop Lateral Movement

You already have security tools meant to prevent attackers from getting into your environment, but what happens after they compromise one of your systems? It could happen many ways, and wise security professionals know that good defenses must include methods to detect and stop post-compromise activity.

The good news is that in many cases, attackers' beachhead isn't in the part of the network where they need to be. They must move laterally within the environment to access valuable data, jumping from system to system until they reach their target.

Tactic: Intitial Access

ExtraHop Reveal(x) detects lateral movement behavior on the network, like an attacker escalating their network privileges.

Stopping Lateral Movement

Last year, it was disclosed that a national space agency's Jet Propulsion Lab suffered a data breach. The report on the incident noted that network segmentation would have helped to prevent the attackers from moving laterally within the environment. That's absolutely true, but it's also true that network segmentation is difficult to set up and maintain, and it can be a hindrance to doing business.

Besides stopping lateral movement with segmentation, organizations should also be trying to detect this type of post-compromise activity. Privilege escalation, discovery, and lateral movement are all stages of the MITRE ATT&CK framework that necessarily require attackers to communicate on the network. This gives you many opportunities to detect attackers as they reconnoiter your network, move from system to system, and attempt to escalate their privileges.

Tactic: Intitial Access

Many of the techniques in the MITRE ATT&CK framework rely on network communications inside the network. ExtraHop Reveal(x) maps detections to the MITRE ATT&CK framework, including those for lateral movement.

To evaluate how well you are stopping lateral movement in your environment, ask yourself these questions:

  • What network controls do I have in place to discover and limit device activity?
  • What percentage of my environment is covered by log and endpoint data?
  • How do I track normal and abnormal account activity?

Detecting Post-Compromise Activity

Once attackers compromise an initial system and steal credentials, they can use native functionality to stealthily reconnoiter the environment and move from computer to computer until they find their target. To detect this type of stealthy lateral movement inside the east-west corridor, cybersecurity teams need to be able to examine—at great detail and with tremendous skepticism—seemingly legitimate activity from their internal systems.

ExtraHop Reveal(x) specializes in detecting post-compromise activity like network reconnaissance, privilege escalation, and lateral movement. Reveal(x) detects living-off-the-land attacks that make use of native functionality to stay under the radar. For example, Reveal(x) can detect reconnaissance done through MS-RPC, net user to query domain admins, session enumeration, and PowerView. Reveal(x) can also detect DCSync and PsExec activity that attackers use to move laterally in Windows environments. Watch the video above to see how, then try our demo to see how Reveal(x) can detect threats like lateral movement that other tools miss.

Related Blogs

Sign Up to Stay Informed