Circa 1970, the U.S. and South Korean military forces stood unified to defend the integrity of the demilitarized zone between North Korea and South Korea. All defenses were focused on securing this perimeter and on stopping any chance of a North Korean attack into South Korea.
A North Korean defector told South Korean defenders that President Kim Il Sung had ordered Army units to subvert the DMZ by digging tunnels to prepare for invasion. South Korean officials estimated that one of the three tunnels that were eventually found extended nearly a half mile into their territory and could have accommodated up to 30,000 troops an hour. These tunnels represented a considerable exposure that went undetected for many years.
There was also the risk of an unknown North Korean population living inside South Korea and blending in among the South Korean people to be activated anytime to fight alongside the 30,000 troops an hour that could have marched right into South Korea. But the U.S. and South Korean military forces were fortunate to have received the right information at the right time.
The Korean situation is not unlike today’s perimeter defenses. For years, cyber defense teams have focused primarily on protecting the known network entry points. With the proliferation of pervasive connectivity and the ever-increasing remote workforce, agencies struggle to understand this new dichotomy with attackers hiding as they move by leveraging user accounts and devices. Not to mention that today’s security teams are overworked and heavily scrutinized by their ability to keep an intrusion from turning into data loss or worse.
Often these teams are ingesting and sifting through thousands of these alerts every day using the best security information and event management solutions. Finding and stopping cyberattacks has become a top priority for leadership, many of whom rely on more straightforward perimeter prevention products to solve a more complicated problem.
“Lateral movement,” a term used to describe the different methods attackers use to spread through a network progressively, provides a definite edge to malicious adversaries. Why? Most perimeter-located products, such as IDS/IPS or sandboxing technologies, cannot help with traffic that runs laterally because they are zeroed in on threats coming through the front door.
Considering the sheer volume of threats that security teams are tasked with thwarting daily, it is no surprise that they utilize various tools and techniques to help prioritize their efforts in a meaningful way. One common misconception among these teams is their approach to prioritizing lateral attacks, which should be done immediately because they indicate that a threat made its way into a network and is attempting to extend its reach. Lateral attacks will work their way, one device at a time, through the network to infiltrate their final target — often a high-value data set that requires special privileges to access.
This lateral form of attack also creates a web of nearly untraceable points of control within the network. This method essentially provides attackers with a chain of devices to fall back on if footholds are detected.
Another critical component of this form of attack is the expertly manipulative human at the helm. This individual will need to navigate the network undetected while effectively pinpointing the most valuable data to home in on. This process can be accomplished via remote desktop tools, or more specialized remote administration tools. As a result, security professionals will need to observe and document normal behavior within their network to spot any abnormalities quickly.
While network traffic analysis tools can recognize these changes in behavior that highlight an external person controlling an internal one’s privileges, attackers find that they can more efficiently work their way through the network by impersonating a valid user.
In many ways, the lateral movement represents the most significant difference between today’s strategic, targeted attacks and more simplistic attacks of the past. Consequently, detecting lateral movement quickly and reliably is one of the most critical emerging skills in information security today.
Thankfully, there is hope! The lateral movement offers a surprising and uncommon advantage to the defenders. Because adversaries are unable to control both ends of the connection, they lack an incredible amount of elasticity and hiding spots typically granted to them with other attack methods. Lateral movement from an attacker’s perspective is akin to a military sniper’s journey through acquiring a target and firing: They must sneak into a foreign environment using forms of mimicry and camouflage to blend in. Then they must find their target, slowly and expertly maneuvering into position, and, in turn, subjecting themselves to potential exposure. The activity to this point often provides defenders a substantial opportunity to detect the threat if they know where to look and what to look for.
If you hear the boom, it is often too late.
The best way for security professionals to build up their internal defense is by ensuring all personnel and artificial intelligence-driven tools can distinguish the telltale signs of abused or abnormally used credentials. Ultimately, the fluid detection of lateral movement is vital to identifying the threats that pose the highest risk to your organization, empowering your security team to disrupt them before sensitive information is deleted, encrypted for ransom or stolen.
Brian Davis is the director of federal security solutions at Vectra AI.