Lateral Movement
In cybersecurity, lateral movement describes an attacker's techniques to progressively move through a network after gaining initial access. Instead of immediately going after their ultimate target, attackers explore the environment to find valuable data or high-privilege accounts that allow them to achieve their objectives.
Here's a simplified way to think about it:
An attacker breaks into a low-level employee's computer.
Then, they use that access to find credentials or vulnerabilities that let them access another computer, perhaps a server with more sensitive data.
They repeat this process, "moving laterally" through the network, until they reach their goal (e.g., the domain administrator account or a database with financial records).
Lateral movement is a critical stage in many cyberattacks, as it allows attackers to amplify their initial access and maximize the damage they can cause.
Here's how ThreatNG can help with identifying and mitigating the risks associated with lateral movement:
ThreatNG's ability to perform external unauthenticated discovery is the first step in identifying potential lateral movement pathways. Mapping out an organization's external attack surface without needing internal access reveals the points of entry that an attacker might initially compromise to gain a foothold for lateral movement.
ThreatNG's external assessment capabilities provide valuable insights into vulnerabilities that can facilitate lateral movement:
Web Application Hijack Susceptibility: High susceptibility in this area means an attacker might easily compromise a web application and then use that access to move to other parts of the network.
Subdomain Takeover Susceptibility: If subdomains are vulnerable to takeover, an attacker could use them as a launching point for further attacks within the organization's infrastructure.
Cyber Risk Exposure: This assessment considers factors like exposed ports and vulnerabilities. Exposed services (e.g., RDP, SSH) are common targets for attackers seeking to move laterally.
Code Secret Exposure: Exposed credentials (API keys, passwords) in code repositories can give attackers the necessary credentials to move through systems and access sensitive data.
Mobile App Exposure: Exposed credentials within mobile apps can also be a source of initial compromise, which attackers might use to access internal systems.
3. Reporting
ThreatNG's reporting capabilities can highlight the risks of lateral movement. For example, reports on Cyber Risk Exposure or Code Secret Exposure can pinpoint systems or data with weak security that an attacker could target.
Continuous monitoring of the external attack surface is essential because the potential for lateral movement can change rapidly. ThreatNG's ongoing monitoring helps detect new vulnerabilities or exposed services that could create new lateral movement pathways.
ThreatNG's investigation modules provide detailed information that helps in understanding and preventing lateral movement:
Domain Intelligence: This module includes information about DNS records, subdomains, and WHOIS data, which can reveal potential entry points and vulnerabilities. For example, exposed subdomains or unusual DNS records might indicate a misconfiguration that an attacker could exploit.
IP Intelligence: Analyzing IP addresses and ASNs can help identify connections to potentially malicious infrastructure.
Sensitive Code Exposure: This module is crucial for identifying exposed credentials and other sensitive information in code repositories, which are often used in lateral movement attacks.
Mobile Application Discovery: This module helps identify vulnerabilities within mobile apps that could be exploited to gain initial access.
Search Engine Exploitation: This module can reveal information exposed via search engines, such as configuration files or directories, that could aid an attacker in lateral movement.
Cloud and SaaS Exposure: This module helps identify misconfigurations or vulnerabilities in cloud services and SaaS applications that attackers could exploit to move laterally.
ThreatNG's intelligence repositories provide valuable context for lateral movement analysis:
Dark Web Presence: Information on compromised credentials found on the dark web is highly relevant, as attackers often use stolen credentials to move laterally.
7. Working with Complementary Solutions
While the document does not provide specifics on integrations, ThreatNG's capabilities would be enhanced by working with other security solutions:
SIEM systems: ThreatNG's findings on potential lateral movement pathways could be integrated into a SIEM to correlate with internal security events and detect actual lateral movement activity.
Intrusion Detection/Prevention Systems (IDS/IPS): ThreatNG's identification of vulnerable entry points could inform the configuration of IDS/IPS to detect better and block lateral movement attempts.
Endpoint Detection and Response (EDR) solutions: Combining ThreatNG's external view with EDR's internal visibility would provide a complete picture of an attacker's activity.
ThreatNG helps identify and mitigate lateral movement risks by providing external visibility, assessing vulnerabilities, and offering detailed intelligence on potential attack vectors and compromised credentials.