bluebay2014 - Fotolia

Network lateral movement from an attacker's perspective

A security researcher describes the network lateral movement process from an attacker's perspective and a few key points of focus for IT pros, at DerbyCon.

LOUISVILLE, Ky. -- A security researcher at DerbyCon 7.0 showed how an attacker will infiltrate, compromise and move laterally on an enterprise network, and why it benefits IT professionals to look at infosec from a threat actor's perspective.

Ryan Nolette, security technologist at Sqrrl, based in Cambridge, Mass., said there are a number of different definitions for network lateral movement, but he prefers the MITRE definition that says network lateral movement is "a step in the process" of getting to the end goal of profit.

Nolette said there are a lot of different attacks that can all be part of network lateral movement, including compromising a shared web root -- things running as the same permissions as the web server -- using SQL injection, remote access tools and pass the hash attacks.

According to Nolette, there are five key stages to the network lateral movement process: infection, compromise, reconnaissance, credential theft and lateral movement. This process will then repeat from the recon stage for each system as needed, but the network lateral movement stage is "where the attack gets really freaking exciting," Nolette told the crowd.

"You've already mapped out where you want to go next. You have credentials that you can possibly use to log in to use other systems," Nolette said. "Now, it's time to make an engineer or IT admin cry because now you're going to start moving across their environment."

lateral movement attack
Ryan Nolette's network lateral movement process as described at DerbyCon 7.0.

Demonstrating network lateral movement

Nolette walked through a demo attack and made sure he had some roadblocks to overcome. First, he ran a Meterpreter payload in Metasploit that would allow him to "run plug-ins, scripts, payloads, or start a local shell session against the victim" and used it to determine the user privileges of the victim's machine.

Finding the privileges were limited, Nolette loaded a generic Windows User Access Controls bypass -- which he noted was patched in the current version of Windows -- to escalate privileges to admin level.

In a blog post expanding on the attack, Nolette said that once the attacker has access to a system with these privileges, the aim is to map the network and processes, learn naming conventions to identify targets and plan the next move, which is to recover hashes in order to steal login credentials.

With credentials, Nolette said he targets local users and domain users.

It's time to make an engineer or IT admin cry because now you're going to start moving across their environment.
Ryan Nolettesecurity technologist, Sqrrl

"The reason I want the local users is because in every single large corporation, IT has a backdoor local admin account that uses the same password across 10,000 systems," Nolette told the DerbyCon audience. "For the record, [Group Policy Object] allows you to randomize that password for every system and stores it in [Active Directory], so there's really no excuse anymore for this practice."

Another way Nolette said attackers can find more privileged users is by looking at accounts that break the normal naming convention of the organization. For example, Nolette said if a username is initial.lastname but an attacker sees a name like master_a, that could be an indication it is a domain user with higher privileges.

When mapping the potential paths for network lateral movement, Nolette said attackers will look for specific open ports and use PsExec to run commands on remote systems -- both tactics used in the recent WannaCry and NotPetya ransomware attacks.

"If you use PsExec, SpecOps hates you because that's a legitimate tool used by IT and is constantly run throughout environments and being abused," Nolette said. He suggested one good security practice was to use whitelisting software to only allow PsExec to be run by very specific IT user accounts. 

Understanding attacker network lateral movement

"In a lot of presentations you don't get to see the offense side. All you get to see are the aftereffects of what they did. They move laterally, great, now I have a new process on this system. But, what did they actually do in order to do that?" Nolette said. "If I figure out what the attacker is doing, I can try to move further up the attack chain and stop them there."

Nolette said the value of threat hunting to him was not about finding a specific attack or method, but rather in validating a hypothesis about how threat actors may be abusing systems.

"I find that valuable because that's a repeatable process. When you're trying to sell to your upper management what you want to do, you always want to use business terms: return on investment, high value target, synergy," Nolette said. "In order to be a successful security practitioner, you have to know why the business [cares]. Security is not a moneymaker. It is always a cost center. How to change that view with the upper management is to show them return on investment. By spending a few hours looking at this stuff, I just saved us a few million dollars."

Next Steps

Learn how CISOs can improve security communication with the board.

Find out how ransomware is trending toward more sophistication.

Get info on managing access to keep privileged user credentials secure.

Dig Deeper on Risk management