Understanding Lateral Movement and Privilege Escalation

The Techniques Attackers Use and Best Practices for Defending Your Organization

Introduction

An attacker who gets into your network is seldom content with their initial foothold. To achieve their ultimate objective, whether that’s stealing sensitive information or planting malware, they need to leverage the account they have compromised to move laterally through your environment and escalate their privileges until they gain access to more data or resources.

In other words, the account or system that an attacker initially compromises is just a jumping-off point for them to spread out. The lifecycle of an attack can be weeks, months or even years as the attacker moves throughout the environment and establishes their presence. To defend your organization, it’s critical to understand the techniques involved.

What are lateral movement and privilege escalation?

Lateral movement is when an attacker leverages their current access rights to navigate around your environment. Privilege escalation is gaining increased access permissions. Attackers combine these two tactics to achieve their ultimate goal of stealing data or doing other damage to your organization.

Typically, when an attacker enters your environment, they begin to do reconnaissance in order to understand what resources they have access to and what accounts they may be able to compromise next. As they discover avenues to escalate their privileges, they gain access to even more data and resources. By repeating this cycle, they strive to eventually gain access to your most valuable data or systems.

What specific techniques do attackers use?

Here are three of the most common techniques that attackers use to move laterally and escalate their privileges:

• LDAP reconnaissance — Discovering potential targets in an environment is a very important task for an attacker. Once they gain access to an environment, they need to understand what is out there that they may be interested in targeting. LDAP reconnaissance is a way that an attacker can use Active Directory to discover users, groups and computers in the environment. After understanding the environment and conducting more thorough reconnaissance, the attacker can come up with a plan to achieve their objectives.
• Pass-the-Hash — Once an attacker gains access to a system and is able to move laterally between systems, they want to compromise other accounts that expand their rights in the environment. One way an attacker can compromise other accounts in the environment is through pass-the-hash. This technique does require some level of privileges on the machine they have access to, but using pass-the-hash, they can compromise an account that has a session on the machine they’ve acquired. With the newly compromised account, they may continue to identify other machines they have access to, and other sessions that may exist that they can leverage to gain access to even more accounts.
• Kerberoasting — Another technique attackers use to escalate their privileges is kerberoasting.  Kerberoasting abuses the Kerberos authentication protocol to steal the credentials of Active Directory users that have servicePrincipleNames. More often than not, these accounts are service accounts, so they have higher levels of privilege than regular user accounts.

Real-world example

One of the most notable breaches in recent history is the Marriot data breach from 2018. While the complete details were never publicly revealed, Mimikatz was found on their system. Mimikatz is a popular tool for harvesting credentials using pass-the-hash attacks, so it’s reasonable to assume that once the attacker gained a foothold in the environment, they leveraged Mimikatz to continue their attack and move laterally and escalate their privileges with the credentials they were able to gather with the tool.

This is just one example of an attacker moving laterally and escalating their privileges to reach their goal; you can easily find many others in the news.

How can organizations defend themselves?

How can you combat these tactics attackers use to compromise your environment? Here are three of the top strategies to implement:

Block social engineering attacks

More often than not, attackers gain access to the IT environment through some type of social engineering, in which they manipulate a legitimate user into providing their credential. To reduce your risk, regularly train your employees about how to detect and report social engineering attacks. Also, invest in tools like spam filtering to keep phishing messages from reaching your users in the first place.

Protect your passwords

Attackers often get into your environment and escalate their permissions through weak passwords or credentials they steal using techniques like password spraying attacks. Training users on good password hygiene and best practices and enforcing your policies is important to keeping credentials secure. In addition, look for tools that can enforce more secure password policies than native Active Directory, identify weak or compromised passwords and enable you to implement controls like multi-factor authentication (MFA).

Pay particular attention to privileged accounts

One of the key ways attackers attain their ultimate goals is by compromising admin or service accounts, which give them far more access across the environment than user accounts. Implementing a good privileged access management (PAM) strategy is essential to protecting these powerful accounts from being compromised and monitoring how they are being used. PAM tools today come in all shapes and sizes, but keep in mind that you don’t have to settle for one that simply provides a vault for privileged accounts. A more modern approach is to eliminate standing privileged accounts altogether and instead grant admins the elevated rights they need for only as long as they need them to complete a particular task; this significantly reduces risk by reducing your attack surface area.

Keep your systems updated

Finally, it’s essential to apply updates and patches as they become available. Keeping all your devices and applications up to date is critical to ensuring an attacker isn’t able to exploit a known vulnerability to gain a foothold in your environment, move laterally or escalate their privileges.