lateral movement (noun) [Word Notes] - Hacking Humans

Summary

Hacking Humans: Understanding Lateral Movement in Cyber Attacks

Podcast Information:

Title: Hacking Humans
Host/Author: N2K Networks
Episode: Lateral Movement (Noun)
Release Date: January 14, 2025
Description: Explores deception, influence, and social engineering within the realm of cybercrime.

Introduction to Lateral Movement

In the January 14, 2025 episode of Hacking Humans, host Rick Hauer delves deep into the concept of lateral movement—a critical phase in the cyber adversary’s attack sequence. Lateral movement refers to the techniques used by cybercriminals to move within a victim's network after the initial breach, aiming to access valuable data or achieve destructive objectives.

Rick Hauer begins by defining lateral movement:

“Lateral for adjacent and movement for an act of changing location or position. Definition: the phase of a typical cyber adversary group's attack sequence after the initial compromise, and usually after the group has established a command and control channel where the group moves through the victim's network by compromising as many systems as it can...” ([01:34])

The Kill Chain Framework

Central to understanding lateral movement is the Kill Chain model, originally a military concept adapted for cybersecurity by Lockheed Martin researchers. This framework outlines the stages adversaries must navigate to achieve their objectives.

Rick Hauer references the seminal 2010 paper by Hutchins, Cloppert, and Amin, highlighting that:

“All cyber adversaries have to negotiate the same attack milestones to be successful. Regardless of their motivation, they must traverse the same digital ground to complete their task.” ([01:34])

The classic Kill Chain stages include:

Reconnaissance: Gathering information about the target.
Weaponization: Creating malicious payloads.
Delivery: Transmitting the payload to the target.
Exploitation: Executing the payload to gain access.
Installation: Establishing persistence within the network.
Command and Control (C2): Maintaining communication with compromised systems.
Actions on Objectives: Achieving the attacker’s goals, which includes lateral movement.

Case Study: The SolarWinds Attack

To illustrate lateral movement, Hauer discusses the infamous SolarWinds breach orchestrated by the threat group known as Dark Halo (also referred to as Nobelium, Solar Storm, Stellar Particle, and UNC 2452).

Key Points:

Initial Compromise: Dark Halo infiltrated the SolarWinds software update system, distributing malicious code to its extensive customer base.
Lateral Movement: The group systematically compromised adjacent machines, targeting both administrative credentials and Azure Microsoft 365 authentication details to expand their foothold within victim networks.

This sophisticated attack underscores the potency of lateral movement in propagating breaches across vast and interconnected systems.

Expert Insights: Mike Cloppert on the Kill Chain

Bringing further depth to the discussion, Mike Cloppert, one of the original authors of the Lockheed Martin Kill Chain concept, shares his expertise in a segment at [05:30].

Mike Cloppert elaborates on each Kill Chain stage:

“Reconnaissance as we originally defined it, we've actually expanded that to include reconnaissance and precursors. So that's anything that happens ahead of the intrusion, acquiring infrastructure, standing it up, getting everything ready.” ([05:30])

“Weaponization is more what is happening with the malicious payload that is going to be delivered?... Delivery, of course, is how you get your weaponized package to the end target.” ([05:30])

“Exploitation you can think of as detonation takes the form of technical or human exploitation. So social engineering is an exploit, right?” ([05:30])

“Installation is essentially the persistent stage where the automated code is doing something to maintain its presence on the target device.” ([05:30])

“Command and Control is the establishment of the ultimate control plane over the now compromised system...” ([05:30])

“Actions on objectives is anything that happens after the adversary picks up the telephone and gets the dial tone. And that is elevation of privilege, that is lateral movement...” ([05:30])

Cloppert emphasizes that:

“We have seven opportunities here to detect, respond, and defend, and the adversary has to get all these right before they meet their objective...” ([05:30])

This structured approach not only aids in understanding adversary tactics but also highlights multiple defensive checkpoints to thwart attacks at various stages.

Detection and Defense Strategies

The episode underscores the importance of vigilance at each Kill Chain stage to mitigate threats. Particularly, during the Actions on Objectives phase, focusing on monitoring lateral movement can significantly reduce the risk of extensive network compromise.

Key Strategies Include:

Continuous Monitoring: Keeping an eye on network traffic and user behaviors to identify unusual patterns indicative of lateral movement.
Segmentation: Implementing network segmentation to limit attacker access across different segments.
Credential Management: Protecting administrative and authentication credentials to prevent easy escalation of access.

By understanding and addressing each stage, organizations can build robust defenses against sophisticated cyber threats.

Conclusion

The Hacking Humans episode on lateral movement provides a comprehensive exploration of a pivotal phase in cyber attacks. Through definitions, real-world examples like the SolarWinds breach, and expert insights from Mike Cloppert, listeners gain a nuanced understanding of how adversaries navigate networks to achieve their objectives. The discussion not only demystifies lateral movement but also equips organizations with actionable strategies to detect and defend against such threats effectively.

Notable Quotes:

“All cyber adversaries have to negotiate the same attack milestones to be successful...” – Rick Hauer ([01:34])
“We have seven opportunities here to detect, respond, and defend...” – Mike Cloppert ([05:30])

For those seeking to bolster their cybersecurity posture, this episode serves as an invaluable resource, shedding light on the intricate mechanisms of cyberattacks and the defensive measures necessary to counter them.

Transcript

A (0:02)

You're listening to the Cyberwire network, powered by N2K.

B (0:11)

And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement connecting users only to specific apps, not the entire network continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.

A (1:34)

The word is lateral movement spelled lateral for adjacent and movement for an act of changing location or position. Definition the phase of a typical cyber adversary group's attack sequence after the initial compromise, and usually after the group has established a command and control channel where the group moves through the victim's network by compromising as many systems as it can by looking for the data it has come to steal or to destroy. Example Sentence Fancy Bear Members move laterally within the Democratic Congressional Campaign Committee, or dccc, and the Democratic National Committee or DNC networks, compromising other victims Machines seeking files and folders that mention Benghazi and opposition Research Origin and context during the first Gulf War in 1991, Iraq's mobile Scud missiles gave the United States Air Force and Navy pilots trouble. Iraqi soldiers were able to fire them long before the US Planes could find their location and blow them up. After the war, US Air Force General John Jumper addressed the issue by changing air combat doctrine and formalizing the techniques necessary to compress the time to find and kill the enemy on the battlefield. He called the new doctrinal model Find, Fix, Track, Target, Engage and assess or F2T2 eh for short, because you know military acronyms. More simply, they call it the kill chain. Jumper's mandate to the Air Force was to compress the kill chain from hours or days to under 10 minutes. Fast forward to 2010. The Lockheed Martin research team took the kill chain idea and applied it to cyber defense. They published the now historic paper Intelligence Driven Computer Network Defense informed by analysis of Adversary Campaigns and Intrusion Kill Chains by Hutchins, Cloppert and Amin. The author's main thesis is that cyber adversaries, regardless of their motivation, crime, espionage, hacktivism, low level cyber conflict or just general mischief, and regardless of the toolset they use, must traverse the same digital ground to complete their task. All cyber adversaries have to negotiate the same attack milestones to be successful. Since publication, many researchers have added their spin to the kill chain idea, but the general idea has remained the same. In the original paper, the Lockheed Martin research team labeled the milestones as recon, weaponization, delivery, exploitation, installation, command and control, and actions on the objectives. Within the actions on the objectives milestone, the authors describe lateral movement. Take for instance the supply chain attack on the Texas based IT management company SolarWinds. The adversary group behind the attacks, Dark Halo, aka Nobelium, Solar Storm, Stellar Particle and UNC 2452 gained initial access by compromising the SolarWinds software update system and delivering malicious code to the SolarWinds customer base. For lateral movement, Dark Halo compromised adjacent machines looking for administrative credentials generally and Azure Microsoft 365 authentication credentials. Specific Nerd Reference In a Morgan Franklin consulting webinar in 2021, Mike Cloppert, one of the authors of the original Lockheed Martin paper, described the kill chain this way.