Chris Swagler | May 4th, 2022

Cyberattacks are increasingly common because the tools threat operators utilize to carry them out are becoming more powerful and are readily available through black markets. While managed service providers (MSPs) direct considerable attention towards managing clients’ information technology (IT) infrastructure and end-user systems, threat operators are focused more on everything that occurs after the initial compromise. Once a threat operator has accessed an MSP’s networks, they attempt to move deeper into the architecture through lateral movement and locate valuable and sensitive data to sell at a high price or ransom back to the company. For the MSP’s clients that have distributed workforces or rely on IoT and legacy computing devices, lateral movement tactics are high-priority threats.

What is Lateral Movement?

Lateral movement describes the techniques threat operators utilize to explore the networks, locate additional resources (apps and devices), and access sensitive and valuable data after breaching a network. They use lateral movement to maintain access, increase their privileges, and avoid detection. Because detecting a breach or identifying the first compromised endpoint still leaves network administrators far removed from constantly increasing attacks, threat operators can search far and wide for high-value information by moving sideways within the networks.

How Lateral Movement Works, Step-By-Step

Threat operators may mimic the true endpoint user or device owner by scraping credentials to move to a new system in the network and adopt a new user identity after gaining a network foothold. As they proceed from system to system, threat operators can repeat the process, escalating access privileges until they discover the desired payload. Planning a lateral movement attack occurs long before the initial breach and occurs in four main stages:

Stage 1: Reconnaissance

Internal reconnaissance is a precondition stage for lateral movement allowing threat operators to familiarize themselves with the inner workings of their targets’ networks by observing legitimate activity and mapping network architecture. Reconnaissance is when threat operators study network hierarchies, determine hosts’ naming conventions, and identify high-value data assets. This step provides threat operators with the information needed to make efficient decisions during the attack, reducing the time required to find the payload and the chance of detection.

Stage 2: Disable Security Tools

Threat operators can check for existing security tools running on the networks while examining network architecture, a process that today’s security researchers have largely automated. Threat operators can develop the tools needed to deactivate anti-virus and endpoint detection and response software. AVs and EDRs intercept and inspect each API request for malicious intent after “hooking” into application functionalities during installation. The unhooking process returns code to its original state, preventing security software from performing its function and allowing threat operators to avoid detection and persist in the network.

Stage 3: Credentials & Privileges

Moving laterally through networks without being detected requires that threat actors acquire credentials from legitimate network users. Bad actors can gain access to valid credentials through various methods, including brute force attacks and deploying tools like keyloggers and protocol analyzers. Phishing attacks, social engineering, or typosquatting can convince legitimate users to disclose their credentials willingly. Credential dumping describes when threat operators utilize illegal methods to acquire the credentials that grant them network privileges.

Stage 4: Gaining & Escalating Access

Threat operators can move freely from endpoint to endpoint if they possess a detailed map of the target network and legitimate credentials. Threat operators will employ the cyclical process of stages 1-3 to keep their network access, working hard to evade detection by researching legitimate users and devices within networks before moving laterally to access the payload.

Ransomware groups frequently target MSPs because their infrastructure offers threat operators direct access to numerous clients. Using compromised, legitimate credentials of the MSP allows threat operators to freely move laterally between MSPs and their clients’ shared networks, where ransomware can be deployed with little effort.

MSPs obtain significant economies of scale by serving numerous clients. As a result, they typically have direct access to their clients’ networks and data on their internal infrastructure. MSPs are often more willing to pay a ransom because failing to pay can result in irreparable damage to their reputation. Furthermore, many MSPs operate with limited resources, lack dedicated cybersecurity personnel, and are too busy to maintain strict cybersecurity practices, making them easier targets than larger companies, while simultaneously giving threat operators access to potentially thousands of endpoints.

When cybercriminals breach devices in networks, the asset is rarely their final objective. They infiltrate low-level web servers, users’ email accounts, organizational workstations, or any starting locations as the first step to achieving their ultimate goal. Breaches can occur through phishing emails, drive-bys, exploit kits, and corrupted flash drives. In order to initiate a ransomware attack, threat actors need only infect one device and then pivot and begin locating their real target.

If MSPs are compromised, it’s likely their clients are as well, resulting in disruptive downtime and massive ransom demands. Companies put their trust in MSPs and it’s important for MSPs to keep the trust by doing everything possible to reduce the chance of a ransomware incident. MSPs need to take a proactive approach to security to gain a competitive edge because cybersecurity has become increasingly critical for MSPs and their clients across industries.

With SpearTip, partners gain our expertise in conducting comprehensive security assessments that go beyond simple compliance checks and ensure valuable insurance coverage. Additionally, partners receive a turnkey Security Operations Center (SOC) and a dedicated team of certified experts to their account on a 24/7/365 basis allowing their current team to focus on client interactions. We offer an all-in-one cybersecurity solution in our ShadowSpear Platform that eliminates the threat of lateral movement by stopping the initial access of threat actors, so MSPs can focus on their clients’ core IT objectives while providing industry-leading protection against ransomware threats.

 If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.