The Tactic Of “Lateral Movement” And Its Techniques

In literal terms, lateral can be defined as the opposite of direct, denoting a sideways approach to something. In cyber systems, lateral movement denotes the ability to indirectly control a cyber-network system by an adversary, with or without making use of a remote access component.

Under lateral movement, the adversary can be able to access data or cause an effect on the system without having authorized access to that system. In most cases, lateral movement requires a remote access tool but since the effect of such a tool in a system may be noticeable by a computer network defense (CND) system, advanced adversaries try to perform lateral movement without remote access tools. In so doing, the adversary may have control over the cyber-system for longer without being detected, hence having the ability to cause more damage. Application Deployment Software is an effective technique used in lateral movement by mimicking system administrators.

Most systems have very effective checks and balances as part of the CND system by limiting access for most users on a need-for-access basis. However, the same systems will need to allow a few administrators to have full access to the entire system. If an adversary is able to gain the action credentials of one of the system administrators, the adversary can then fool the system to believe that the administrator has gained access to the system. The adversary can then remotely control the system unless or until the breach is discovered.

Another effective technique for lateral movement, more so on a large system is Exploitation of Remote Services. Computer networking is done through a careful balance between utility and safety. If safety comes at the expense of utility, the cyber-network is useless to its owner hence there is no need to secure it. As CND developers seek to balance utility and safety, errors will happen, more so when remote access provisions are made to a secure system. The Exploitation of Remote Services seeks for such errors then utilizes them to access the system remotely, through lateral movement. The error will enable the amount of access that would have been allowed to the remote user then the adversary can exploit it to increase access and inference into the system.

The Remote Desktop Protocol technique has some similarities with the Exploitation of Remote Services in that they both take advantage of genuine provisions for remote access. Most modern cyber-networks will allow for people with the right credentials to connect a desktop remotely and operate within the system. An example of the same is the Remote Desktop Protocol (RDP) as the Remote Desktop Services (RDS) created by Microsoft. An adversary can use such an avenue to connect a remote desktop, access the system then expand the abilities of the remote access node so as to make the necessary inferences into the system.