lateral movement (noun) [Word Notes]

A

You're listening to the Cyberwire network, powered by N2K.

B

And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement connecting users only to specific apps, not the entire network continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.

A

The word is lateral movement spelled lateral for adjacent and movement for an act of changing location or position. Definition the phase of a typical cyber adversary group's attack sequence after the initial compromise, and usually after the group has established a command and control channel where the group moves through the victim's network by compromising as many systems as it can by looking for the data it has come to steal or to destroy. Example Sentence Fancy Bear Members move laterally within the Democratic Congressional Campaign Committee, or dccc, and the Democratic National Committee or DNC networks, compromising other victims Machines seeking files and folders that mention Benghazi and opposition Research Origin and context during the first Gulf War in 1991, Iraq's mobile Scud missiles gave the United States Air Force and Navy pilots trouble. Iraqi soldiers were able to fire them long before the US Planes could find their location and blow them up. After the war, US Air Force General John Jumper addressed the issue by changing air combat doctrine and formalizing the techniques necessary to compress the time to find and kill the enemy on the battlefield. He called the new doctrinal model Find, Fix, Track, Target, Engage and assess or F2T2 eh for short, because you know military acronyms. More simply, they call it the kill chain. Jumper's mandate to the Air Force was to compress the kill chain from hours or days to under 10 minutes. Fast forward to 2010. The Lockheed Martin research team took the kill chain idea and applied it to cyber defense. They published the now historic paper Intelligence Driven Computer Network Defense informed by analysis of Adversary Campaigns and Intrusion Kill Chains by Hutchins, Cloppert and Amin. The author's main thesis is that cyber adversaries, regardless of their motivation, crime, espionage, hacktivism, low level cyber conflict or just general mischief, and regardless of the toolset they use, must traverse the same digital ground to complete their task. All cyber adversaries have to negotiate the same attack milestones to be successful. Since publication, many researchers have added their spin to the kill chain idea, but the general idea has remained the same. In the original paper, the Lockheed Martin research team labeled the milestones as recon, weaponization, delivery, exploitation, installation, command and control, and actions on the objectives. Within the actions on the objectives milestone, the authors describe lateral movement. Take for instance the supply chain attack on the Texas based IT management company SolarWinds. The adversary group behind the attacks, Dark Halo, aka Nobelium, Solar Storm, Stellar Particle and UNC 2452 gained initial access by compromising the SolarWinds software update system and delivering malicious code to the SolarWinds customer base. For lateral movement, Dark Halo compromised adjacent machines looking for administrative credentials generally and Azure Microsoft 365 authentication credentials. Specific Nerd Reference In a Morgan Franklin consulting webinar in 2021, Mike Cloppert, one of the authors of the original Lockheed Martin paper, described the kill chain this way.

C

Reconnaissance as we originally defined it, we've actually expanded that to include reconnaissance and precursors. So that's anything that happens ahead of the intrusion, acquiring infrastructure, standing it up, getting everything ready. Weaponization is more what is happening with the malicious payload that is going to be delivered? How is that constructed? Are artifacts left in there that could be later detected in the delivery stage? Delivery, of course, is how you get your weaponized package to the end target. Exploitation you can think of as detonation takes the form of technical or human exploitation. So social engineering is an exploit, right? Installation is essentially the persistent stage where the automated code is doing something to maintain its presence on the target device. Command and control is the establishment of the ultimate control plane over the now compromised system. The protocols used the backdoor that's used the infrastructure that is involved. And actions on objectives is anything that happens after the adversary picks up the telephone and gets the dial tone. And that is elevation of privilege, that is lateral movement that is compromising additional infrastructure. Sometimes that is exfiltration of data that is deploying ransomware, whatever the ultimate objective may be. And the one thing that's nice about this is that we can say that we have seven opportunities here to detect respond and defend, and the adversary has to get all these right before they meet their objective, and ultimately, serious impact is incurred by the target.

A

Wordnotes is written by Nyla Genoi, executive produced by Peter Kilpe, and edited by John Petrick and me, Rick Hauer. The mix, sound, design, and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.

B

Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.