How to Stop External Cyber-Attacks and Lateral Movement

DZone 's Guide to

How to Stop External Cyber-Attacks and Lateral Movement

External attacks represent 72% of data breaches today. It’s critical for organizations to understand how they can stop them.

· Security Zone ·
Free Resource

External attacks represent 72% of data breaches today, which makes them public enemy #1 to IT organizations. It’s therefore critical for organizations to have a good understanding of how attacks occur – and how they can stop them.

There are a couple of threat activities that happen before any kind of lateral/horizontal movement within your network, they are part of what is known as the intrusion kill chain. They include reconnaissance (gathering of information and possible exploits), weaponization (combining exploits and deliverable payloads), delivery (leveraging phishing emails and compromised websites), installation (actual insertion of malware on an endpoint), and command & control (a channel is established to further manipulate endpoint remotely).

The intrusion kill chain is definitely an important part of the overall attack, but we’ll focus this article on identifying and stopping lateral movement as part of the horizontal kill chain – the actions taken by an attacker to move laterally within your network in order to find valuable systems, applications, and data that they will be able to exploit to continue moving, or use to exfiltrate data of value.

The Horizontal Kill Chain

Attacks that are intent on expanding their access within your network tend to follow a very similar pattern:

Obtain Credentials – Authenticate – Control – Persistence – Stealth

Obtain Credentials

Hackers need to be able to move as much as possible within the network. The more endpoints accessed, the higher the likelihood of finding valuable data. The goal is to acquire local admin access – either by examining local groups and attempting logons to local accounts or using a keylogger and waiting for an account with elevated privileges to log on.

Once the hacker has obtained local admin access, there are some credential artifacts found in the endpoint’s memory that attackers can leverage. This can include password hashes (for use in a pass the hash attack), Kerberos tickets (which can be cracked), logon session credentials (which are stored in clear text), and domain credentials (which can be cracked). Tools like mimikatz can be used to search through an endpoint’s memory in order to find these artifacts, allowing the credential data to be used by other hacker tools to establish authentication to additional systems.


Once credentials have been obtained, the next step is to move within the network. This is usually accomplished via Server Message Block (to access file systems), remote desktop, PowerShell remoting, and even Windows Management Instrumentation (WMI) and Remote Procedure Call (RPC).

Establish Control

Once a hacker has successfully gained entry to another system, the goal is again to gain control. On this new endpoint, the credentials providing initial authentication may not have elevated privileges. The hacker has to repeat some of the same work from the first two steps in the kill chain, as well as leverage hacking tools, in order to identify and authenticate as a local admin on each successive endpoint they gain access to.

Establish Persistence

If their access is discovered and removed, the chances of an attack being successful are seriously lowered. So, it’s necessary to modify an endpoint’s configuration to ensure access is possible.

Using similar tactics to malware, hackers use scripts that run upon system reboots or user logons to put malware, tampered files, scheduled tasks, malicious services, and any created accounts back into place – repeating all the work done until that point to guarantee persistent access to the endpoint.

Establish Stealth

This is more about methodology than additional work. To avoid being detected, hackers use native tools that should garner less attention, deliver payloads directly to memory, and even redirect malicious traffic over allowed ports.

Detect the Attack in the Horizontal Kill Chain

To be able to stop an attack, you first have to detect it. The detection can happen anywhere from the point of intrusion all the way to the point of data access. It’s a good thing, because the opportunity is there to possibly stop an attack early in the kill chain. There is also a bad side to it, you may not find out until after data has been exfiltrated. This is why it’s critical to detect the attack as early in the kill chain as possible, having proactive response measures in place in order to stop any further malicious actions.

So, what’s the best and easiest way to detect an attack?

If you think about it, there is a common action that exists throughout an attack – one action that resides at the epicenter of all kill chain actions – logons. Without the logon process, no step of the attack can be successful.  If you look at the table below, you’ll see that the attacker needs to log on at every step of the kill chain.

Horizontal Kill Chain

Logons role

Obtain Credentials

  • The hacker needs to log on locally as admin in order to locate credential artifacts


  • The hacker must authenticate to get access to secondary endpoints
  • It may involve multiple logons of different types (e.g. SMB, then RDP)

Establish Control

  • The hacker needs to log on locally as admin in order to establish control of an endpoint

Establish Persistence

  • The hacker needs to log on locally as admin in order to establish persistence on an endpoint

Establish Stealth

  • To avoid being detected, the hacker may require authenticating using an account with elevated privileges

It’s obvious that the logon is a point of opportunity to both audit and leverage to stop horizontal movement. First, what you need to do is audit logons at both the local endpoint and against the domain, looking for anomalies, such as:

  • Logon Times – Users that work normal business hours Monday through Friday don’t usually log on at 5am on a Saturday.
  • Multiple Logons – A user logging onto multiple machines at the same time or within a concurrent timeframe may indicate a problem.
  • Unusual Endpoints – If a user has never logged onto a particular endpoint previously, it may indicate a threat.
  • Unusual IP address – A user from the HR team doesn’t usually logon from the sales team office.
  • First Times – Hackers sometimes establish persistence by creating different users accounts (so if one is discovered, he has more accounts). An account logging on for the very first time should be verified.

It’s technically possible to do so via event log consolidation. However, properly finding the anomalies will require some level of analytics to cross-reference logons with one another. Third-party solution might be part of the answer to help you quickly identify potential threat activity.

Moving from Detection to Prevention

To stop a hacker, you need to take away their most precious asset: the ability to logon with compromised credentials. By taking away their ability to logon remotely, you kill any lateral movement and, therefore, the attack. 

You have a few options here to prevent logons:

  1. Restricting or eliminating remote logons – To thwart hackers, you can only allow accounts to log on locally to an endpoint, or allow only a limited set of accounts to log on remotely. The problem is, many servers need SMB access enabled, or are permanently remote, which makes option not always viable.
  2. Reactively Disabling Accounts – If you’re a DIY IT pro, you can launch a script based on specific audit log findings that will disable the account. This could be a temporary solution to stop an attacker. But disabling an account could impact more than a single user if it’s a service account, an administrative account, etc.
  3. Using third-party solutions – You can identify and respond to suspicious logon behavior using a solution that monitors and analyzes all logon activity. Solutions can selectively disable an account’s ability to logon, notify response team members and provide details on the chain of endpoints on which specific credentials were used.
  4. Implementing multi-factor authentication (MFA) – Multi-factor authentication is one of the most effective controls an organization can implement to prevent an unauthorized adversary from gaining access to a device or network and accessing sensitive information. MFA combines two or more factors to create a layered defense. 

Stop the Attack

To stop an attack you need to understand the details around exactly how hackers execute their attacks. It’s obvious that logons are a key component of an attack. Without logons, an attack would be limited to the single endpoint victim of phishing or malware.

By auditing logons, putting a response plan in place and implementing multi-factor authentication you effectively drop the success rate of any attack to zero.

Verizon, Data Breach Investigations Report (2019)

cyberattack, cybercriminal, cybersecurity, information security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}