MITRE ATT&CK Lateral Movement Techniques: How Threat Actors Move Within a Network

The days of “smash-and-grab” cyberattacks are over. Nowadays, rather than breaking into a target network and stealing or encrypting whatever data they can get their hands on, most cybercriminals use lateral movement techniques. This means they prolong attacks, moving around victim networks and compromising as many endpoints and servers as possible.

Research shows that lateral movement happens in about 60% of attacks today. Furthermore, about 80% of a typical attack chain involves lateral movement, a process that can take days, weeks, and even months. The ransomware attack on the Irish Health Service Executive, which was detected on the 14th of May 2021, actually started on the 18th of March 2021. In the two months between initial access and ransomware deployment, the attackers spread ransomware through dozens of hospitals and clinics, disrupting an entire country’s health service.

Fortunately, with the right combination of proactive cybersecurity and defensive technology, lateral movement can be stopped. To discern lateral movement and prevent attacks from spreading, SenseOn automatically correlates suspicious network behaviour to the MITRE ATT&CK framework. To help defenders spot lateral movement, here is a quick guide to the kind of behaviour MITRE and SenseOn use to classify lateral movement.

MITRE ATT&CK Lateral Movement Techniques

As used by SenseOn’s self-driving cyber defence platform, MITRE currently identifies nine techniques under the lateral movement (TA0008) tactic.

Exploitation of remote services

After accessing a corporate network, attackers typically start a scan or probe to find vulnerabilities in remote services like Microsoft’s Server Message Block (SMB) and Remote Desktop Protocol (RDP). This is known as exploitation of remote services (T1210).

According to a Coveware report, this kind of remote service hijacking can be seen in 39% of ransomware cases. More than two-thirds of lateral movement incidents involve RDP applications. 

For example, the infamous NSA-developed EternalBlue vulnerability (CVE-2017-0143) allowed attackers to use an SMB vulnerability to obtain privileged access to infected networks. In 2021, Guardicore discovered an attack campaign known as Indexsinas (or “NSABuffMiner”). The attack used SMB servers still vulnerable to 2017’s EternalBlue exploit to breach networks and install backdoors on infected systems.

Internal spearphishing

Internal spear phishing (T1534) involves an attacker exploiting a trusted internal account to steal more credentials, unlock new permissions, or deliver a payload directly. 

Using this method, cybercriminals use compromised corporate email accounts to either trick other network users into revealing credentials or downloading remote access tools and/or malware directly. Spotting an internal spearphishing attack is very difficult because emails appear to come from a genuine account. 

Threat actors that use internal spearphishing for lateral movement include Gamaredon Group, Kimsuky, Leviathan, and Lazarus Group

Lateral tool transfer

Using the lateral tool transfer tactic (T1570), attackers transfer malware from one system to another. They do this by exploiting administrative accounts, network drives, removable media, or open SMB file servers. Their goal is to create backdoors to other systems within a victim’s network.

The Chinese hacking group Chimera uses lateral tool transfer to copy Cobalt Strike and other remote access tools from one compromised system to the next, bypassing security controls designed to detect external threats only. This kind of defence evasion has allowed Chimera to remain undetected in corporate systems for up to three years.

Remote service session hijacking

In some cases, cybercriminals may be able to take over pre-existing network sessions using remote service session hijacking (T1563). MITRE lists two sub-techniques under remote service session hijacking: Secure Shell or SSH hijacking (T1563.001) and Remote Desktop Protocol or RDP hijacking (T1563.002).

Remote service session hijacking is different from remote services (below) in that it does not create a new session through valid user accounts but instead takes control of a user’s initial connection. This is what makes detection so difficult—to most security tools, this action seems to have come from an authorised user behind a network firewall. 

The Wannacry ransomware has been noted to enumerate RDP sessions to hijack previously disconnected sessions. This allows threat actors to look like legitimate users, pivoting attacks across a corporate network undetected.

Remote services

Through techniques like credential dumping, threat actors can obtain and abuse valid credentials of existing accounts to use remote services (T1021) as a method for lateral movement.

MITRE lists six sub-techniques under remote services: Remote Desktop Protocol (T1021.001), SMB/Windows Admin Shares (T1021.002), Distributed Component Object Model (T1021.003), SSH (T1021.004), Virtual Network Computing or VNC (T1021.005), and Windows Remote Management (T1021.006). 

Threat actor Fox Kitten has been observed by CISA to log into RDP with valid account credentials and then conduct lateral movement in the environment. 

Replication through removable media

Even air-gapped or disconnected machines can fall victim to lateral movement. Threat actors can copy malware to removable media that will automatically spread malware when inserted into different workstations.

In the first half of 2021, 77% of lateral movement techniques involved replication through removable media (T1091).

The threat group APT30 designs its malware components to replicate through removable drives. For instance, according to FireEye, APT30’s SHIPSHAPE malware component hides existing files and folders on a removable drive and copies executable files to the drive using the same names as the original documents but with an .exe extension. Because the extensions are hidden, users are unaware that the executables are not original documents.

Software deployment tools

Compromised software deployment tools (T1072) is another technique cybercriminals use for lateral movement. By compromising third-party software, cybercriminals can move laterally within that network to gain persistence on multiple machines connected to the system. 

Silence, Threat Group 1314, and APT32 all use software deployment tools for lateral movement. For example, APT32 compromised McAfee ePO infrastructure to mask their malware distribution as a software update, which allowed them to move laterally. 

Tainted shared content

Tainting shared content (T1080) involves cybercriminals adding content tainted with malicious programs or exploit code to legitimate files in shared locations on a corporate network. When an unsuspecting user opens the tainted content, they will unknowingly download and run malicious content that allows the threat actor to move laterally. 

These files typically have what appear to be legitimate filenames and are designed by bad actors to execute a user’s action so as not to arouse suspicion. 

The notorious Conti ransomware gang, which has recently rebranded, is known to use network shared drives to spread across the network and infect other remote machines.

Use alternate authentication material

To bypass credential requirements from standard system access controls, malicious actors can use alternate authentication material (T1550). This includes things like Kerberos tickets and API tokens. 

MITRE lists four sub-techniques under this technique: application access token (T1550.001), pass the hash (T1550.002), pass the ticket (T1550.003), and web session cookie (T1550.004). 

APT1, Chimera, and GALLIUM are just some of the groups that have used alternate authentication material to bypass system access controls.

Stopping Lateral Movement with SenseOn

MITRE ATT&CK is a powerful resource for defenders, but understanding how lateral movement happens is not the same as mitigation. To  reduce the risk of lateral movement, organisations need to equip their defenders with tools that both give them real-time visibility and also link network logs to real-world threat behaviour. 

Through its patented threat triangulation technology, SenseOn does just that. Eliminating false positives, SenseOn mimics a skilled human analyst, analysing each suspicious event based on data from multiple sources and comparing it to MITRE tactics. If a behaviour is deemed “normal,” SenseOn won’t flag it as an alert.

On the other hand, when it comes across behaviours that are obviously malicious, SenseOn collates them into a threat “Case,” complete with a full timeline of all the observations and a description of ATT&CK techniques detected. 

Arrange a demo of SenseOn today.

Previous
Previous

MITRE ATT&CK Initial Access Techniques: How Attackers Gain Access to Corporate Networks

Next
Next

Why Faster Ransomware Detection Requires Blended Security