lateral movement (noun)

Rick Howard: The word is: lateral movement. 


Rick Howard: Spelled: lateral for adjacent and movement for an act of changing location or position.  


Rick Howard: Definition: Phase of a typical cyber adversary group's attack sequence, after the initial compromise and usually after the group has established a command and control channel, where the group moves through the victims network by compromising as many systems as it can, by looking for the data, it has come to steal or to destroy.  


Rick Howard: Example sentence: Fancy Bear members move laterally within the Democratic Congressional Campaign Committee, or DCCC, and the Democratic National Committee, or DNC, networks compromising other victim's machines seeking files and folders that mentioned "Ben Ghazi" and "opposition research."  


Rick Howard: Origin and context: During the first Gulf War in 1991, Iraq mobile SCUD missiles gave the United States Air Force and Navy pilots trouble. Iraqi soldiers were able to fire them long before the US planes could find their location and blow them up. After the war, US Air Force General John Jumper addressed the issue by changing air combat doctrine and formalizing the techniques necessary to compress the time to find and kill the enemy on the battlefield. He called the new doctrinal model Find, Fix, Track, Target, Engage, and Assess, orF 2 T 2 E A for short, because you know, military acronyms. More simply, they call it the kill chain. Jumper's mandate to the Air Force was to compress the kill chain from hours or days to under 10 minutes.  


Rick Howard: Fast forward to 2010, the Lockheed Martin research team took the kill chain idea and applied it to cyber defense. They published the now historic paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" by Hutchins, Cloppert, and Amin. The authors' main thesis is that cyber adversaries, regardless of their motivation–crime, espionage, hacktivism, low level cyber conflict, or just general mischief and regardless of the toolset they use, must traverse the same digital ground to complete their task. All cyber adversaries have to negotiate the same attack milestones to be successful. Since publication, many researchers have added their spin to the kill chain idea, but the general idea has remained the same.  


Rick Howard: In the original paper, the Lockheed Martin research team labeled the milestones as recon, weaponization, delivery, exploitation, installation, command and control, and actions on the objectives. Within the actions on the objectives milestone, the authors describe lateral movement.  


Rick Howard: Take for instance the supply chain attack on the Texas based IT management company, SolarWinds. The adversary group behind the attacks, Dark Halo (aka Nobelium, Solar Storm, Stellar Particle, and UNC 2452), gained initial access by compromising the SolarWinds software updates system and delivering malicious code to the SolarWinds customer base. For lateral movement, Dark Halo compromised adjacent machines looking for administrative credentials generally and Azure/Microsoft 365 authentication credentials specifically.  


Rick Howard: Nerd, reference: In a Morgan Franklin Consulting webinar in 2021, Mike Cloppert, one of the authors of the original Lockheed Martin paper described the kill chain this way: 


Mike Cloppert: Reconnaissance, as we originally defined it, we've actually expanded that to, to include reconnaissance and precursors. So that's anything that happened ahead of the intrusion; acquiring infrastructure, standing it up, getting everything ready. Weaponization is more, what is happening with the malicious payload that is going to be delivered. How is that constructed? Are artifacts left in there that could be later detected in the delivery stage. Delivery is of course, how you get your weaponized package to the end target? Exploitation you can think of as detonation. It takes the form of technical or human exploitation. So. Social engineering is an exploit, right? Installation is essentially the persistence stage where the automated code is doing something to maintain its presence on the target device. Command and control is the establishment of the ultimate control plane over the now compromised system, the protocols used, the backdoor that's used, infrastructure that is involved. And actions on objectives is anything that happens after. The adversary picks up the telephone and gets the dial tone and that is elevation of privilege, that is lateral movement, that is compromising additional infrastructure sometimes, that is exfiltration of data, that is deploying ransomware. Whatever the ultimate objective may be. And the one thing that's nice about this is that we can say that, we have seven opportunities here to detect, respond, and defend. And the adversary has to get all these right before they meet their objective and ultimately serious impact is incurred by the target. 


Rick Howard: Word Notes is written by Nyla Gennaoui. Executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.