Lateral Movement in the Real World: A Quantitative Analysis

VMware

By Stefano Ortolani and Giovanni Vigna


Since attacks have the inherent goal of achieving progressively higher access to resources, they often follow a common process in which an initial compromised endpoint is used as a bridgehead to access additional parts of the target’s infrastructure. This process has been in part codified in the MITRE ATT&CK framework in which the kill-chain of an attack is described as a series of tactical achievements.

While there are few cases that rigidly follow a process that touches on these tactics in a linear manner, most attacks have only a few of these steps and often have sub-patterns that reflect the repetitive nature of the exploitation process. However, one of the most essential (and often overlooked) aspect of multi-step attacks is lateral movement.

Lateral movement is essential because it describes the actions that attackers take to expand their foothold on the target network, which is often essential to the success of an attack, as the first compromised host is rarely the final target of a breach. Lateral movement is also often overlooked because most security tools focus on the perimeter of the network, and they seldom look at the interactions among internal hosts, and, as a result, these tools might miss important aspects of a multi-step attack.

Hereinafter, we present some data about lateral movement that is based on the telemetry that the VMware Threat Analysis Unit (TAU) collected from VMware Contexa. Our analysis begins from the concept of an intrusion, which is a set of alerts generated on a victim’s network that are correlated together. We selected a dataset that spans 30 days and whose intrusions involve at least five hosts. The dataset contains 489 intrusions, 219 (44.7%) of which contain a lateral movement event.

Our analysis focused on the shape of the lateral movement activity, in terms of path length and fan-out. The goal of this analysis is to understand if attackers usually use one node to attack many others or if they move linearly from host to host in an island hopping pattern. From the analysis we found that in our dataset the most common average path length is 2, and the maximum is 4, meaning that, excluding intrusions where often brute-forcing is involved, island hopping involves few nodes because attackers are often able to close in on the final target swiftly.

When looking at the fan-out of lateral movement patterns, our analysis shows that the average number of target nodes in a lateral propagation event is one, meaning that lateral propagation attempts tend to be laser-focused, i.e., affecting only those hosts that are needed by the intrusion to succeed.

Understanding lateral movement is important, as it is a key activity in complex, multi-step attacks. Unfortunately, identifying lateral movement events in computer networks that generate thousands of events every day is challenging, especially because many of the events might be associated with legitimate administrative activity. Therefore, it is of paramount importance to have sophisticated analysis tools that can enrich and amplify the relevant signals so that they can stand out from the noise.

For a more in-depth analysis of lateral movement read our latest security blog post.
LEARN MORE: Lateral Movement in the Real World: A Quantitative Analysis

Sustaining Partners