Threat actors gain access to a company application through phishing or exploiting unpatched vulnerabilities, assume the identity of a legitimate user and use lateral movement to penetrate ever deeper into various parts of the network.
There they can exfiltrate data, paralyze and manipulate systems and databases or carry out other attacks. The threat actors do not strike directly, but rather try to operate in the background unnoticed for as long as possible. The goal of most cyber criminals is to steal or encrypt data in order to extort ransom money - i.e. ransomware attacks. The more time attackers spend unnoticed in their victims' networks, the more data, information and access rights they can gain and the greater the potential damage. A popular approach is vulnerability chaining, i.e. the chaining of several vulnerabilities. In its Labs Threat Report, Arctic Wolf has summarized the most frequently exploited vulnerabilities that companies should be aware of and patched. Different techniques are used for lateral movement:
- Exploitation of remote services
- Internal spear phishing
- Lateral tool transfer
- Remote hijacking
- Remote Desktop Protocol
- Cloud service login
- Application Access Token
The time until lateral movement occurs is called the “breakout time”. If an attack can be stopped within this time window, costs, damage and potential business interruptions or downtime can be significantly reduced or avoided entirely.
Detect and stop lateral movement
- Monitoring the IT environment Real time: Modern monitoring solutions, such as B. Managed Detection and Response (MDR), can include unusual activities (e.g. a user logging into an application that they do not normally log in to), rule changes within applications, or sudden activity by a single user within the IT infrastructure recognize. Companies can monitor these activities and compare them with the above techniques and corresponding behavior patterns to detect cases of lateral movement early and stop attackers moving unauthorizedly in the IT environment.
- Behavior analysis: Because many TTPs contain widely accessible tools and compromised user accounts, advanced behavioral analysis is needed to reliably identify anomalies and malicious intent.
Detecting and stopping lateral movement is not easy. But precisely because cybercriminals can use this tactic to gain access to deep layers of IT, protective measures against these attacks are an important component of cybersecurity. They can mean the difference between a security incident being just an attempted attack that was nipped in the bud early on, or a successful hack that cripples companies or enables attackers to encrypt systems and data and extort ransoms.
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.
Matching articles on the topic