The danger of lateral movement

Lateral movement is a term in cyber security that describes a step in a typical attack chain involving the move in a network from an initial hijacked internal endpoint; with the overall intent to hijack critical systems in order to exfiltrate data or interrupt operations e.g. by distributing ransomware.

Hijacking in the first place can happen in various ways, such as through malicious emails, websites or portable storage. The lateral movement step is actually a recursive effort to spread from already hijacked and externally-controlled internal endpoints to other - at this stage not hijacked - internal endpoints using unknown and unpatched vulnerabilities.

What is to be done?

Detection and remediation

Eventually, detection works most efficiently by recognizing unusual application behavior and traffic patterns, both in the network and on managed endpoints. The latest advancements in machine learning and articial intelligence have opened up significant new possibilities to automate rapid detection and remediation by instructing network enforcement services to isolate or quarantine affected systems.

Reduction of attack surface

While the quote «It is not a matter of "if" your company will be hacked, but "when"» appears to be common knowledge already, one tends to believe not going to be amongst those facing (again) a cyber security incident. It is, however, of upmost importance to follow a zero-trust approach by limiting possible communications between devices to only the required. This approach can greatly help to slow down lateral movement, which makes detection and remediation much quicker and efficient.

In order to do so, two basic options are on hand:

1) Endpoint agent based solutions with central control engines that can be deployed either on-prem or in the cloud. These solutions often also support IPSec encryption between endpoints and deep packet inspection for machines and users in critical functions.

2) Network based solutions that allow zoning on network level without the need to re-IP networks and endpoints and foremost without the need of endpoint agent support. Routing north-south traffic through dedicated firewalls allow for comprehensive logging and deep packet inspection.

Both options have its advantages and disadvantages and very often a combination of both proves to be the right choice to secure managed and legacy endpoint environments.

Conclusion

Detection and remediation, as well as the reduction of the attack surface go hand in hand and should always be implemented in functional interaction. A number of mature solutions are available, and there is no one-fits-all approach as the right combination is determined by the target environment to secure.