A later stage of advanced persistent threats (APT) attacks is the “lateral movement” stage, where attackers typically use legitimate computer features to move within the network undetected. This takes place after the initial breach and the establishment of command-and-control links back to the attacker. We earlier discussed the steps in an APT attack in the infographic, Connecting the APT Dots.
As shown below, the impact attackers can have on networks grows larger as APTs go deeper. Upon reaching the lateral stage, attackers are now virtually undetected by traditional security methods. This allows them to gain even more access privileges and move on to the next APT attack stages.
Figure 1. Graph of APT Stage vs. Impact to Network
Lateral Movement Tactics
The lateral movement stage of APT attacks can be further divided into three major steps: reconnaissance, credentials stealing, and computer intrusions.
The first step allows attackers to collect vital intelligence for their next attacks by using built-in OS tools and other popular utilities. These tools may include the netstat command for connection information and port scanning for open ports.
Once well-informed, APTs will then steal legitimate credentials to establish control. Attackers can do this in various ways, such as: spoofing ARP protocol packets, using keyloggers, pass the hash attacks or hooking login authentication processes.
After acquiring legitimate credentials, attackers will target other computers to move closer to their real target. They are more likely to use remote access or administration tools that leave few traces to accomplish this.
What Enterprises Can Do
The use of legitimate computer features can defeat basic perimeter-based and blacklisting security methods. However, there are many measures enterprises can still use to fortify their security, including: the use of application control, security and information event management (SIEM), and adapting a custom defense solution.
Enterprises need to establish solid threat intelligence from internal knowledge of their network and other external indicators. Threat intelligence partnered with the use of custom defense technology will empower IT personnel in detecting anomalous use of legitimate computer features; thus, securing their networks from APT-related activities.
Find out more about these tools and measures as highlighted in the infographic The Danger of Compromise.
You can also read more about the steps APTs take during the lateral movement stage in the Security in Context paper, How Do Threat Actors Move Deeper into Your Network.