Lateral Movement and Threat Actors – Watch your network!

Lateral Movement and Threat Actors – Watch your network!

Cyber attacks are not only becoming more frequent, they are also becoming more complex, with attackers often using a range of techniques to get malware into your computer. One preferred method is to spread malware throughout the network, in an effort to locate network assets.

This blog explains this particular method, it also explains why the reasons for locating this type of activity and correlating it with other detection methods, is vital to network security.

Follow the pattern

External cyber attacks on enterprise networks often share the same pattern:

  • The first is gaining a stronghold in the target network, then moving towards enterprise network assets, and finally doing whatever it is the attacker wants to do with those assets once he gets hold of them. This could come by way of encrypting data and asking for ransom in order to recover it, while at other times, it could be exfiltration of data and sharing it with the world or making any other use of it.
  • The second step in the attack pattern described above is often referred to as lateral movement. Needless to say, the detection of this movement at the network level is critical, as it allows detection of an attack that has succeeded in passing the first line of defense, undetected. It is important to note that when it comes to internal cyber attacks, initiated by a legitimate network user, the lateral movement step may be the first step of the attack.

The attacker’s goal in the lateral movement stage is to get closer to the asset they are after. At the network level, lateral movement is frequently done using traffic redirection methods. These methods are used for redirecting communication through the attacker’s machine (also called Man-in-the-Middle), enabling the attacker to intercept the communications and extract valuable data from them.

Illustration of ARP Poisoning Attack

Beware of the Rogue!

There are several popular methods for achieving MitM on a LAN. One of these methods, known as a Rogue DHCP Server, is explored in this post.

The technique used in a Rogue DHCP attack works by:

  1. Detecting an endpoint that has sent a DHCP request.
  2. Providing a fake reply to the endpoint with fake DHCP data.

The implementation of such an attack is actually quiet easy. All the attacker needs to do is:

  1. Install a DHCP server on a machine to which they currently have control.
  2. Configure the DHCP server to provide replies with rogue data.
  3. Wait for requests and let the rogue DHCP server reply.

Illustration of Rogue DHCP Attack

The attacker need not worry about intercepting the request since DHCP requests use the Ethernet broadcast address and therefore those requests are viewable by all endpoints on that network segment.  At times, there might be a “race” between the real DHCP server’s reply and that of the rogue DHCP server. The attacker needs to ensure their rogue reply gets to the client before the authentic DHCP reply.

The DHCP server’s job is to provide network configuration to an IP-less client. Once a client boots up, it broadcasts a request to the network requesting that the DHCP server provide it with network configuration. This network configuration contains the IP, subnet mask, default gateway, DNS servers and possibly more network related configuration. A fake answer from an attacker can manipulate the client’s network configuration.

For example, an attacker can set up a DHCP server and configure it to provide the default gateway parameter as his own machine. From that point onward, any communication between the victim and other network objects that need to be routed through the default gateway, are visible to the attacker, who can then inspect it freely in order to try and gain valuable inputs.

The importance of detecting such attacks is critical. Monitoring DHCP replies on local network segments for “incorrect” answers, may indicate that an attack is taking place, and is a critical factor for any network security specialist.

Interesting behavior observed on a monitored enterprise network, is a DHCP answer that provides a different default GW, rather than the one configured by the network DHCP servers. Looking for the “attacker” on the network can reveal that one of the employees had connected a Wi-Fi router to the network socket. Since this Wi-Fi router was configured to provide DHCP answers by default, it answered all DHCP requests it was able to see.

Even though the employee did not have any malicious intent, his actions put the company’s network at risk, since the Wi-Fi router to which he connected, was not secured – possibly enabling cyber attackers to use this access point as their initial attack vector.

No tiers? Think again

Enterprises often put their main efforts into detecting attacks coming from their network’s Internet gateway. Cyber defense methodology must be based on several tiers of detection. The reason for this is that new attacks may evade the first line of defense, and some attacks are not initiated over the Internet gateway at all. Moreover, lateral movements as described above cannot be detected over the gateway altogether. Having more lines of defense makes it harder for a complete attack to go undetected.

Correlating between attacks detected in the different detection modules is also vital, as this can provide the information security personnel with a full picture of the attack stages and damage, as well as enable them to detect attacks that were not detected at the first tier of network defense.


Author: Eddie Harari