Lateral Movement: What It Is & How to Prevent It

CloudConnexa is now CloudConnexa® — learn more here.

In today's threat landscape, attackers increasingly use lateral movement to gain access to sensitive data and systems with the potential to cause enormous damage. Consider these recent statistics: 

• According to a 2023 Data Breach Investigations Report from Verizon, in 2021, 61% of data breaches involved lateral movement.
• CrowdStrike reports that after initially compromising a device, it takes an intruder an average of 1 hour and 58 minutes to move laterally into other network systems.
• A Microsoft Security Intelligence Report found that lateral movement is the most common way attackers gain access to sensitive data.
• According to a study by the Ponemon Institute, “The average cost of data breaches for covered entities surveyed is now more than $2.2 million.” 

What Is Lateral Movement? 

Lateral movement is a technique attackers use to move from one device or system to another within a network. This can allow them to access sensitive data or systems they otherwise would not be able to reach — and enables the attacker to spread malware, steal data, or disrupt operations.

An attack using lateral movement paths (LMPs) typically has three phases:

1. Reconnaissance 

After gaining network access, an attacker observes and maps the network structure, users, and devices. Doing so allows the attacker to identify operating systems, firewalls, and host naming conventions and hierarchies. With this information, they can begin developing a strategy for their impending attack.

2. Privilege Escalation

Attackers will use social engineering tactics to engage in what’s called credential dumping (stealing credentials) with the goal of gaining access to a series of devices, one after the other, escalating the attacker’s network privileges along the way.

3. Gaining Expanded Access

With access to stolen login credentials and escalated network privileges, an attacker can impersonate a user and gain what would appear to be “legitimate” access to additional hosts and servers, reaching farther and farther into the infiltrated network. 

This sort of lateral movement enables attackers to maintain a persistent network presence across multiple users and devices. So even if a security team is able to identify a compromised device, the attacker still maintains a presence via other devices, making it exponentially more difficult for the security team to eradicate the attacker from the entire network.

Understanding Lateral Movement Detection

Quickly identifying and addressing lateral movement in your network is absolutely critical. A 2023 CrowdStrike report found the average breakout time (how long it takes attackers to move from initial access to lateral movement) to be a mere 118 minutes. Security teams have to move faster than ever to mitigate the damage. 

A 2023 CrowdStrike report found the average breakout time (how long it takes attackers to move from initial access to lateral movement) to be a mere 118 minutes.

You can take several steps to help your team prepare for an attack and protect your business:

1. Identify and map potential LMPs within your network.
2. Implement real-time monitoring to alert you to suspicious activity.
3. Aggregate alerts to help your team quickly zero in on legitimate threats.
4. Conduct regular behavioral analysis to identify and investigate suspicious network activity. 

Different Ways Attackers Use Lateral Movement

Attackers use many techniques to exploit LMPs. Some of the most common techniques include:

• Pass-the-hash: This technique involves using the password hash of a legitimate user to authenticate to other systems on the network. This can be done by using tools such as Mimikatz to extract the password hash from memory.
• Remote execution: This technique involves running code on a remote system without the user's knowledge or consent. This can be done by exploiting vulnerabilities in remote services, such as Remote Desktop Protocol (RDP) or Secure Shell (SSH).
• Privilege escalation: This technique involves gaining elevated privileges on a system. This can be done by exploiting system software vulnerabilities or using stolen credentials to log in to a system with administrative privileges. Once the attacker has elevated privileges, they can access more sensitive data and perform more destructive actions.
• Network shares: This technique involves using shared network folders to move files between systems. It’s just one way attackers can steal sensitive data or deploy malware to other systems on the network.
• Web shells: This technique involves installing a web shell on a system. A web shell is a program that allows an attacker to remotely execute commands on a system, gain access to sensitive data, or deploy malware to other systems on the network.
• Unsecured protocols: Attackers can exploit unsecured protocols to communicate with other systems. This is a common technique for stealing data or installing malware.

ZTNA: A Defense Against Lateral Movement

Zero Trust Network Access (ZTNA) is a security approach that assumes that any device or user could be compromised. This means that ZTNA does not grant access to the entire network but instead grants access to specific applications or data.

ZTNA can stop lateral movement in several ways. 

First, it can prevent attackers from using stolen credentials to access systems. ZTNA requires users to authenticate with multi-factor authentication (MFA) or other strong authentication methods. This makes it more difficult for attackers to steal credentials.

Second, ZTNA can prevent attackers from exploiting vulnerabilities. ZTNA uses micro-segmentation to create smaller, more secure zones within a network. This makes it more difficult for attackers to exploit vulnerabilities and move laterally within a network.

A VPN Is a Critical Component to a ZTNA Solution 

A common misconception about remote-access VPNs is that, once connected, a user’s device becomes part of the network and gains access to the entire network. Therefore, the assumption is that using a VPN increases the risk of lateral movement. Some in our industry use this argument to garner support for alternative remote-access technologies that facilitate application connectivity without providing complete layer-3 connectivity (i.e. identity-aware proxies).

In reality, zero trust and VPNs are not mutually exclusive. In fact, using a VPN facilitates much stronger controls against lateral movement precisely because it is a network-layer connectivity technology. Modern VPN solutions come with an identity-based access control capability. You can provide least privilege access to needed applications by configuring identity-aware access control policies to specific network segments at the protocol and port granularity. Therefore, the attacker is restricted at the network level and cannot use common techniques to move laterally. Thanks to access control policy enforcement, the VPN will simply drop the attack packets. However, it’s important to note that if you rely solely on application-level controls, an attacker could still move laterally to access systems with an exposed application vulnerability. 

Zero trust and VPNs are not mutually exclusive. In fact, using a VPN facilitates much stronger controls against lateral movement precisely because it is a network-layer connectivity technology.

Lateral Movement Prevention Strategies 

As always, a minimum essential set of multiple controls provides better protection than just one control. In addition to enforcing ZTNA, you can significantly reduce the risk of lateral movement attacks in your organization by implementing various approaches (noted below).

• Data loss prevention (DLP): DLP can prevent sensitive data from being exfiltrated from a network. This can help prevent attackers from stealing sensitive data they've gained access to through lateral movement.
• Application control: Application control is a technique that allows organizations to control which applications can be run on their systems. This can help to prevent attackers from using malicious applications to move from one system to another. Application control can be implemented using various methods, such as software firewalls, application whitelisting, dynamic application analysis, and web filtering software. Web filtering software can be used to block access to malicious websites.
• Endpoint detection and response (EDR): EDR is a security solution that collects and analyzes telemetry data from endpoints. This data can be used to identify and respond to malicious activity, including lateral movement. EDR can be implemented using various methods, such as standalone EDR solutions, cloud-based EDR solutions, and endpoint security suites.
• User behavior analytics (UBA): UBA is a technique that uses machine learning to analyze user behavior for signs of malicious activity. This can help to identify attackers attempting to move laterally through a network. UBA can be implemented using various methods, such as SIEMs (security information and event management), EDRs, and cloud-based UBA solutions.

CloudConnexa®: A Novel Approach to Lateral Movement Risk Management 

Cloud Connexa, a cloud-delivered ZTNA service from OpenVPN, uses a novel approach that separates application-layer routing from IP routing. Cloud Connexa only opens up a communication path to the destination through an intermediary IP address if the user tries to access an authorized application. To gain access to an application, users must use the domain name associated with the authorized application. This means that the IP address range of the private network hosting the application or the private IP address of the application server is not revealed, and access to other communication paths on the network is restricted. The attacker cannot use IP addresses to scan the private network or try to infect any other devices on it; Cloud Connexa is designed to reject packets sent directly to the IP address of the private network.

In addition to the above, Cloud Connexa provides businesses with the following protections:

• Intrusion Protection System (IPS): Built-in protection, using up-to-date threat intelligence, that blocks malware, ransomware, and traffic found to match the signatures associated with a variety of attacks.
• Application control using web filtering: DNS-based content filtering with more than 42 content categories effectively blocks access to malicious websites that may allow an attacker entry into your network.
• Restricted internet access: Devices such as point-of-sale (POS) terminals or other single-purpose dedicated devices can be locked down to allow access to only a few trusted internet and private destinations.

Get Started Today

OpenVPN® is the market-proven leader in secure virtualized networking. Our cloud-based platform enables organizations to maintain secure communication between their distributed workforce, IoT/IIoT devices, and the online services they rely on daily. Built on the market-proven OpenVPN protocol, the solution combines advanced network security, encrypted remote access, and content filtering into a virtualized secure network that provides the best of VPN and ZTNA security.

With over 60 million downloads of our core open-source software and over 20,000 commercial customers, OpenVPN is recognized as a global leader in secure networking.

Ready to take your business to the next level with Cloud Connexa? Work from anywhere and from any device with confidence. Create an account today for three free connections and the secure network connectivity your business needs.