September 18, 2023

Lateral Movement and What You Can Do About It

Devin Bernosky

VP, Solutions Engineering & Customer Success

The attacker here represents the concept of lateral movement, showing how this enables attackers to traverse a network after gaining inital entry.


In a cybersecurity landscape that's evolving at an unprecedented pace, the concept of lateral movement has become a focal point of concern. This process enables attackers to traverse a network after gaining initial entry, often culminating in data breaches and other cyber incidents. Traditional security measures, particularly perimeter-based defenses like VPNs, are increasingly proving inadequate. These conventional methods may gate access to a network but offer little control over activities within, making them susceptible to lateral movement attacks. Enter BastionZero—a next-generation, cloud-based Zero Trust Access Platform. Designed to transcend the limitations of perimeter-based security, BastionZero provides granular access control, zero-trust authentication, and multiple independent roots-of-trust. This blog post will delve into how BastionZero's advanced security architecture offers a comprehensive and effective defense against lateral movement, thereby safeguarding your organization's most valuable assets.

Understanding Lateral Movement in Cybersecurity

Lateral movement is a term that encapsulates the strategies employed by cyber attackers to navigate through a network in search of sensitive data and high-value assets. Unlike perimeter-based security measures, which often focus on keeping attackers out of the network through firewalls or VPNs, lateral movement deals with the threats that occur once an attacker has already gained initial access. 

Objectives of Lateral Movement

  1. Privilege Escalation: One of the primary objectives is to escalate privileges. An attacker may initially gain access as a low-level user but aims to acquire administrative or root-level access.
  2. Information Gathering: The attacker may seek to map out the network, identifying key assets, network topology, and security measures in place.
  3. Data Exfiltration: Ultimately, the attacker may aim to steal sensitive data, which could be anything from intellectual property to personal information.
  4. Persistence: Ensuring that they can maintain access over a period, often by installing backdoors or other malicious software.

Lessons from the Past: A Historical Perspective on Objectives and Techniques

Before we delve into the techniques employed for lateral movement, it's instructive to look back at some of the most notorious cyber attacks that have exploited this strategy. For instance, the 2014 Sony Pictures hack involved attackers moving laterally across the network to locate and destroy data, causing significant financial and reputational damage. Similarly, the WannaCry ransomware attack of 2017 utilized lateral movement to propagate itself across global networks, encrypting data and demanding ransom payments.

These historical incidents serve as cautionary tales that underscore the importance of understanding not just the objectives but also the techniques involved in lateral movement. They highlight the devastating consequences of failing to mitigate such internal threats effectively. With these real-world examples in mind, let's examine the specific techniques that attackers use to navigate through a network once they've gained initial access.

Attack Patterns

  1. Initial Compromise: Attackers gain initial access through methods like phishing, exploiting vulnerabilities, or using stolen credentials.
  2. Privilege Escalation: Once inside, attackers often escalate their privileges to gain greater control over the system.
  3. Internal Reconnaissance: Attackers perform internal reconnaissance to understand the network topology and identify target systems.
  4. Credential Harvesting: Credentials are collected from the compromised system for use in subsequent attacks.
  5. Exploitation of Trust Relationships: Many networks have systems that inherently trust each other. Attackers exploit these trust relationships to move laterally.
  6. Use of Legitimate Tools: Attackers frequently use legitimate system admin tools, making detection more challenging.
  7. Data Aggregation: After reaching the target systems, attackers often aggregate data in a staging area before exfiltration.

Common Techniques for Lateral Movement

When it comes to lateral movement, attackers employ a variety of sophisticated techniques that often bypass traditional, perimeter-based security measures. While firewalls and VPNs may serve as initial barriers, they are generally ineffective against the following advanced lateral movement techniques:

  1. Pass-the-Hash (PtH): Capturing NTLM hashes to authenticate to other systems without needing the actual password.
  2. Remote Code Execution: Using tools like PowerShell, PsExec, or WMI to execute code remotely on target systems.
  3. SSH Hopping: In Unix/Linux environments, using SSH keys to move from one system to another.
  4. Kerberoasting: Exploiting the Kerberos authentication protocol to gain service account credentials.
  5. Lateral Movement Frameworks: Utilizing frameworks like Empire, Mimikatz, and BloodHound that are designed specifically for lateral movement.
  6. Exploiting Trust Relationships: Leveraging inherent trust between network systems to move laterally.
  7. Man-in-the-Middle (MitM) Attacks: Intercepting and altering communications between two parties to steal data or inject malicious content.

Why BastionZero is Your Best Bet Against Lateral Movement

In an era where cyber threats are not just evolving but also becoming increasingly sophisticated, traditional security measures are proving to be woefully inadequate. VPNs and firewalls, once considered the bedrock of network security, are now easily circumvented by attackers employing advanced lateral movement techniques. These techniques, as we've seen in notorious attacks like the Sony Pictures hack and the WannaCry ransomware, can lead to devastating outcomes, including data breaches, financial loss, and reputational damage. This is where BastionZero comes into play.

Zero-Trust Architecture: A Paradigm Shift

BastionZero adopts a zero-trust security model, a paradigm shift from the outdated perimeter-based defenses. In a zero-trust environment, trust is never assumed and verification is required at every step. This approach aligns perfectly with the need to counter lateral movement, where an attacker, once inside the network, seeks to escalate privileges and move laterally to achieve their objectives. BastionZero's zero-trust model ensures that even if an attacker gains initial access, their ability to move laterally is severely curtailed.

Granular Access Control: The Antidote to Privilege Escalation

One of the primary objectives of lateral movement is privilege escalation. BastionZero addresses this by implementing granular access controls that are tightly integrated with your Single Sign-On (SSO) solutions. You can specify role-based access down to the individual target level, thereby limiting the scope of any potential privilege escalation.

Just-In-Time Authorization: Countering Persistence

Attackers aim for persistence, often installing backdoors to maintain access over time. BastionZero's just-in-time authorization feature allows you to grant time-limited access to specific roles on specific targets, effectively reducing the window of opportunity for an attacker to establish persistence.

Passwordless Access: Eliminating Credential Harvesting

Credential harvesting is a common technique in lateral movement. BastionZero mitigates this risk through its passwordless access model, thereby eliminating the need for key management and rotation—a significant pain point in traditional VPN-based solutions.

Comprehensive Audit Logging: A Forensic Goldmine

In the event of a security incident, understanding the 'who, what, when, and how' is crucial for both remediation and forensic analysis. BastionZero provides identity-aware logs, session recordings, and access logs, offering a granular view of all activities. This level of detail is invaluable for compliance and can also serve as a forensic goldmine in the aftermath of an attack.

Port Management: Reducing the Attack Surface

Open ports are a common vector for lateral movement techniques like port scanning and exploitation of trust relationships. BastionZero allows you to close unnecessary open ports on your targets, thereby reducing your attack surface and making lateral movement more challenging for potential adversaries.

Multiple Independent Roots-of-Trust: No Single Point of Failure

Finally, BastionZero's architecture is designed with multiple independent roots-of-trust, eliminating single points of compromise and thereby enhancing your overall security posture.

In summary, BastionZero is not just an upgrade but a revolution in how we approach internal network security. Its multi-layered, zero-trust approach not only effectively counters the various techniques employed in lateral movement but also addresses the limitations and vulnerabilities inherent in traditional perimeter-based defenses. With BastionZero, you're not just preventing lateral movement; you're setting a new standard for internal network security.

Connect with our OpenPubkey experts!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Lateral Movement and What You Can Do About It

Future-proof your cloud security strategy

Try BastionZero for free today and see why fast-growing companies trust us over any other identity provider.