Are you a fan of ninjas?
We are talking about those shinobi fighters we usually see on TV shows and kids’ cartoons with a mask, black outfit, unseeable boots, a fancy and destructive-looking katana, and other cool ancient weapons.
Ninjas lived in Japan a long time ago in the era of feudal Japan.
They were used by noble samurai to spy on, kill or kidnap someone, or to steal valuables..
But did you know that today we live in the golden era of a more sophisticated type of ninjas?
No! Not red teams (often called penetration testers) who are basically on your side.
We are talking about ninjas whose main skill is to enter networks stealthily and move laterally through IT systems to steal data and spy on organizations.
We need to talk about the skills behind lateral movement, because how they move is mysterious.
We will concisely define lateral movement, its techniques, and expose some of the tools used to move laterally across the network.
Wait! Before we explain what lateral movement is, let’s talk about the fake detective.
Do you recall the fake detective whose job is to get as much information as possible about network assets using both publicly available and customizable tools?
Well, I want you to keep in mind that he fled, upgraded himself to ninja status, and now he is moving laterally within our network.
What’s that exactly?
Lateral movement is the art of deploying multiple techniques that adversaries use to establish their control over a network by moving from one asset to another until they reach their objective. The objective can be to conquer a database, a domain controller, or just find a blind spot and stealthily exfiltrate data.
There are many techniques used to control a network and each technique comes with different tools.
We are focusing on just a few, , but keep in mind that the options are almost endless.
Exploitation of the main components: If these ninjas already possess enough info about a network, they might exploit a vulnerability within a specific software application or the operating system’s kernel itself to execute adversary-controlled exploits.
Lateral Tool Transfer: Ninjas need to carry some lightweight tools to use or download some to carry further investigation. For this, they can take advantage of Powershell scripts such as PowerView, PowerUp, and Bash scripts such as Linpeas.sh or LinEnum.sh for Linux based assets. Take into account that ninjas can customize their own tools, too.
Remote services: Using either stolen credentials or hijacking pre-existing sessions, ninjas will proceed freely across the network. Or, exploit other alternative authentication systems, such as application access tokens, Pass the hash, Pass The Ticket, web session cookies, or kerberoasting to take over a domain controller.
The way ninjas deploy these techniques is surreal.
We will be sharing posts that detail all these techniques, how they work and more. If you are interested too, follow our blog and our official Linkedin account.
Lateral movement helps ninjas slip past detection mechanisms, save their entry points, create others if necessary.
Also, ninjas can reside in a network for weeks, months, or even years before they get caught, if they even do. That’s why oftentimes they are referred to as Advanced Persistent Threats (APTs).
Ninjas are trained to perform operations clandestinely. They can be smart, patient, and move like a breeze through the network, but they can be beaten..
Check the picture above.
That’s the lateral movement cycle.
Do you notice how many times the reconnaissance process is repeated?
So if your network is as visible to you as it should be, then you will catch them before they make progress through your network, back when they were only detectives.
It’s all about how much visibility and adaptivity your security program provides.