Why Do Organizations Need to Simulate Lateral Movement Attacks?

Introduction

New technologies improve our organizations and change how businesses operate and solve problems. However, the more we integrate new technologies into our organizations, the more we enlarge our attack surface to cyber threats. As organizations' IT environments have grown and expanded, attackers have evolved their tactics beyond traditional malware attacks to include more sophisticated techniques such as lateral movement attacks.

Lateral movement attacks are a common tactic used by attackers to move laterally within an organization's network to gain access to sensitive data or systems. These attacks often involve using stolen credentials or exploiting vulnerabilities to gain access to systems that may not be directly accessible from the initial point of entry. Studies show that adversaries spend 80% of their attack time moving laterally across the compromised network [1].

Cyber threat actors develop more stealthy, sophisticated, and disruptive lateral movement techniques every day, and detective security controls are struggling to keep up with these new techniques. Research shows that 96% of lateral movement behavior does not trigger a corresponding alert in SIEM solutions [2]. Organizations are fighting almost blind against lateral movement attacks while adversaries remain undetected in the compromised network for a long time. 

These concerning statistics raise the following question: "How can your organization be ready for a lateral movement attack if your security controls fail to detect it?". In this blog post, we explain why organizations need to simulate lateral movement attacks.

Test Your Security Posture Against Lateral Movement Attacks with Picus

Why Do Organizations Need to Simulate Lateral Movement Attacks?

Nowadays, seeing thousands of users and computers in an organization's IT infrastructure is not surprising. Such infrastructures are enormous, and organizations use network segmentations and access management to manage their valuable assets. As a result, moving laterally in the target's infrastructure and jumping from one network segment to another become prevalent in cyberattacks against organizations. 

Consequently, adversaries spend a great deal of time and effort on moving laterally from one network segment to another to achieve their goals. Since lateral movement techniques are common in attack campaigns, organizations are advised to simulate lateral movement attacks before a sophisticated threat actor performs a real one.

In this section, we explained why performing lateral movement simulations needs to be a common practice and part of organizations' security validation and mitigation process.

1. Lateral Movement Attacks Are at the Core of Attack Paths

Not every asset in your organization is equally business-critical, and trying to protect everything in your organization is an unrealistic goal to meet. You can think of your organizational assets as chess pieces. Even for a great chess player, one thing is sure: nobody can protect every piece on the board. Some pieces are more valuable and therefore require more protection than others. Simply put, a simple stock photo should not get the same security effort as your employees' personally identifiable information does.

Therefore, organizations should protect critical assets by managing the attack path effectively instead of protecting everything. An attack path is the visualization of a path that an adversary may take to exploit a vulnerability, misconfiguration, or weak points in your organization's security infrastructure. Your organization might have thousands or millions of attack paths consisting of isolated and non-critical vulnerabilities, especially if you use directory services. As these isolated or non-critical vulnerabilities are not a true reflection of your organization's security posture, it is essential to prioritize the critical attack paths that can lead to the compromise of the valuable assets within your organization.

Reveal Attack Paths Before Attackers with Picus Attack Path Validation (APV)

Prioritizing critical attack paths is exponentially easier through visualization and management of possible attack paths. The first step of attack path visualization is to identify the organization's valuable assets. Then, organizations can visualize attack paths that may lead attackers to identify valuable assets. Attack path visualization enables organizations to protect their valuable assets with less effort.

Through lateral movement attack simulations, blue teams can focus on 5% of security risks that make a difference for the organization rather than 95% of the security risks that do not require immediate attention.

2. Lateral Movement Attacks Are Costly

Lateral movement is prevalent in attack campaigns, such as targeted cyber espionage, ransomware, and data exfiltration attacks. A quantitative analysis conducted by VMware, Lateral Movement in the Real World (2022) [3], shows that 45% of intrusions contain a lateral movement event. As we previously discussed in our Lateral Movement Attacks 101 blog, rather than just compromising a single machine and/or staying on a low-privileged network segment, adversaries expand their access through lateral movement techniques in search of an organization's critical assets that contain juicy and sensitive information.

Lateral movement techniques take 80% of an adversary's attack time, and these techniques also require sophisticated technical skills, effort, and experience to deliver successful attack campaigns. Although moving laterally is not usually the adversaries' ultimate goal, lateral movement dramatically improves the overall impact of their cyber attack. According to the report published by IBM, Cost of a Data Breach Report [4], "data breach average cost increased 2.6% from USD 4.24 million in 2021 to USD 4.35 million in 2022". Moreover, the same report reveals that while 83% of businesses suffer from more than one data breach attack in their lifetime, 60% of organizations' breaches led to increased prices passed on to customers. Thus, organizations are impacted financially, and regular customers bear the financial burden of data breaches.

3. Lateral Movement Attacks Are Hard to Detect

Detecting lateral movement attacks is hard as it is difficult to differentiate between legitimate and malicious network traffic and/or user actions. According to the Security Effectiveness Report (2021), 54% of the ‘techniques and tactics used to execute testing of the lateral movement were missed'. Moreover, the same report reveals that 96% of lateral movement behavior does not trigger a corresponding alert in the SIEM [5]. In other words, organizations are fighting almost blindly with lateral movement attacks.

Considering that attackers jump on different endpoints makes stopping the attack even more difficult. In addition, even if the security staff identifies the first compromised endpoint, unplugging the infected machine serves no purpose as attackers probably went deeper and are busy enumerating other network segments and domains, harvesting credentials belonging to domain users. 

4. Detections Can Be Improved with Attack Simulations

Lateral movement techniques are one of the key differences between a sophisticated Advanced Persistent Threat (APT) attack and a simple cyberattack performed against a single endpoint. Skillful attackers target organizations with sensitive data worth selling on the black market or asking for ransom. Thus, these highly motivated and skilled cyber threat actors aim to compromise as many machines within the organization's network as possible.

How Can Organizations Deal With Lateral Movement Attacks?

In the previous section, we discussed why it is hard to detect and how SIEM products perform poorly at triggering a corresponding alert for lateral movement attacks. However, SIEM technologies are highly configurable, and their performance can be improved immensely with the right approach.

As Picus Security, we highly recommend organizations follow Picus' four steps of Discover-Validate-Prioritize-Optimize process to identify the possible attack paths within your organizational environment and prioritize the mitigation of critical attack paths targeting your crown jewels. 

• Discover your entire attack surface, external and internal networks, and your cloud environment.
  
• Validate your current security posture with a hacker-like mentality and uncover your critical security gaps. 
• Prioritize the mitigation of your most critical attack paths to maximize the efficacy of your security infrastructure.
• Optimize your security program in a continuous manner to improve your resilience and reduce your business-critical risk.

For continuous improvement, organizations are highly advised to repeat the process and validate the efficacy of applied measures.

Figure 1.  Picus' Continuous Security Validation Approach 

Conclusion

Lateral movement attacks are a common tactic used by attackers to gain access to and move through a network. By simulating these types of attacks, organizations can test the effectiveness of their security measures, identify potential weaknesses in their network defenses, and take steps to address them before a real attack occurs. This helps them to improve their defenses and prevent attackers from being successful. 

Additionally, simulating lateral movement attacks can help organizations better understand the tactics, techniques, and procedures (TTPs) used by attackers. This knowledge can be invaluable in developing more effective security strategies and improving the organization's ability to detect and respond to attacks.  Thus, lateral movement attack simulations greatly improve the organization's cybersecurity visibility and allow them to strengthen its defenses against APT actors, ransomware groups, state-sponsored threat actors, and many others.

What Is Next?

In this blog, we explained why organizations need to simulate lateral movement attacks under four main sub-titles. In the upcoming blog, we will discuss how to simulate lateral movement like advanced attackers, such as APT groups.