Penetration testing

10 Steps to Detect Lateral Movement in a Data Breach

Dan Virgillito
March 22, 2018 by
Dan Virgillito

Many enterprises spend millions of dollars on solutions that promise to bolster their security. However, much less focus is placed on the ability to detect lateral movement during a breach. We've seen time and time again that once an attacker gains an initial foothold in a network, they will typically perform internal reconnaissance to solidify their presence. From this point onward, most attackers follow the same basics strategy – gain access to a lower privileged, less secured host, escalate privileges, and then begin seeking out additional targets on the network.

If you can identify the attacker during lateral movement, it's game over for them.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Unfortunately, it's not easy to dig deep into internal networks. When the amount of data generated is in petabytes, even the best data breach security solution will produce a large number of false positives. The problem is so severe that 55 percent of security alerts organizations receive are considered as erroneous. Hence, the irrelevance and volume of alerts lead enterprises to ignore or disable their logging solutions

However, it doesn't have to be that way.

If you can set up barriers along the way, you may be able to protect against high-value breaches, or at least slow the adversary down enough that you're ready to contain the outbreak. Here are ten steps you can take to detect lateral movement:

1. Look for Discrepancies in Administrative Tasks

Once inside a network, attackers prefer using native tools to avoid detection by EDR and anti-virus software. This is an anomaly that security teams can detect. Try to identify what tools your network administrators use and what resources they typically access, such as an Intranet site or an ERP database. With that information, you can spot discrepancies in the way administrative tasks are performed. Also, a combination of directory services like Active Directory and network information (NetFlow data) can help you winnow down the list of expected behaviors, and from that provide a benchmark for comparison.

2. Monitor Login Activity

A significant challenge to all the indicators of a data breach is that they demand detailed analysis of data that can't be readily accessed. Also, the security team must cross-reference a variety of information sources to gain insight. So, the best thing to give attention to is the login. By carefully monitoring login activity, you may be able to detect compromises before critical actions, such as data access and third-party compromise, take place. That makes login monitoring a pre-attack indicator – logon after hours or at a strange time of day can indicate lateral movement.

3. Keep Tabs on Devices Using Multiple Credentials

Hackers love credentials to remain unidentified and ease their process. They steal user accounts and use them to gain privileges and explore the network. Therefore, analyzing credential usage can help you spot outliers. Moreover, log analysis from your authorization and authentication infrastructure can help you identify credential abuse. For instance, data extraction and analysis will give you a sense of how many devices each authenticated user interacts with. Baseline the average user, then look out for anomalies.

4. Investigate Users Who've Abnormally Used File Servers

One step an adversary usually takes is to identify what file servers can be broadly accessed to either encrypt confidential data remotely or extract essential data, such as credit card numbers or social security numbers. Therefore, discrepancies in file share access can be a vital indicator of lateral movement and may also lead you to a malicious insider. Monitoring and analyzing logs from your file servers is the most efficient way to do this yourself.

5. Search for Command & Control Activity

If you're using perimeter security tools, they may already be keeping tabs on command and control activity. Malware inside a data breach may attempt to get in touch with AWS or new servers that conventional threat intelligence solutions can't recognize. Organizations can augment their integrated security by searching for DNS look-up patterns that identify malware trying to connect to command and control servers. Red flags include multiple failed DNS requests or those that appear as machine-generated.

6. Identify Port Scans with Network Management Tools

An organization can search for port scans and other forms of surveillance as an adversary attempts to map out its network. Many intrusion detection solutions can identify port scanners. However, it can be challenging to distinguish between legit scanning activity and deliberate reconnaissance. The best way to find anomalies indicative of a breach is to benchmark the number of destinations and ports the several devices connected to your network would access by using NetFlow aggregation.

7. Study Red Flags from Security Solutions

In some cases, security software will mark non-malicious tools as suspicious and enterprise will neglect the red flags since the tool may either be familiar or not harmful. However, the warning could also indicate that there's a hacker in the network. They may either be using legitimate admin tools like the ones from Sysinternals Suite or PsExec to conduct diagnostics on the network, which may be flagged if they aren't preinstalled on the organization's system. The security team must monitor user activity around these tools, and if there is no substantial reasoning, you may have stumbled upon a hacker's lateral movement.

8. Check for Abnormal Protocols

Network monitoring logs should frequently be audited to spot anomalies in the protocols used for connections within the enterprise network. Hackers often select the protocol based on what is eligible in the network, so IT administrators should closely inspect connections even when they are running standard protocols. For instance, adversaries may use the port 443 (https) protocol for external connections, but if IT inspected the connection, it might only reveal HTTP data. Security administrators may not examine https connections as they're assumed as encrypted.

9. Leverage Machine Learning

Input logs of network traffic can give you in-depth insight on attackers' interaction with a network. Dynamic view of standard traffic data can be obtained through machine-learning-based contextualization. By better understanding normal traffic flow, systems can conduct change-point detection to identify looming threats. In other words, algorithms can spot instances where the distribution of a specific traffic pattern deviates from "usual" traffic activity.

10. Cluster with The Help of Analysts

Advanced network analytics can help IT administrators spot patterns of activity depicting lateral movement that complements the alerts and correlations offered by SIEMs. In addition, they can collaborate with an analyst to identify clusters. With data about user activity, entitlements, and roles, users can be clustered into behavioral cohorts. For instance, users in the invoice reconciliation group are expected to access specific systems, but probably not the wire transfer program. Clustering can help analysts see if a user's behavior conflicts with others in the same position.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Finding quiet intrusions requires in-depth analysis of anomalies inside the network. This becomes important when adversaries have access to legitimate credentials and are taking measures to disguise their movement. Given the vast majority of conventional techniques (remote desktop protocol, admin tools like wmi, etc.) do not leverage payloads, most security controls find it challenging to identify a hacker moving around an enterprise network.

For these reasons, solutions that integrate machine learning and advanced analytics to identify behaviors of a data breach are the future of the InfoSec industry. At the same time, installing such systems demands a more proactive approach. Till these advancements see fruition, it's a matter of taking the right measures to identify what's hidden in plain sight.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.