It is a known fact amongst security professionals that any major malware strain, such as Doqu 2.0, NotPetya or even Stuxnet includes some form of lateral movement capability.
According to MITRE ATT&CK™, there are least 20 known types of lateral movement techniques adversaries use to enter and control remote systems on a network.
In Active Directory, Lateral movements paths (LMPs) are used by attackers to identify and gain access to the sensitive accounts and machines in your network that share stored logon credentials in accounts, groups and machines. Once an attacker makes successful lateral moves towards their key targets, they often try to gain access to domain controllers to achieve domain dominance. Lateral movement attacks are carried out using many of the methods described in Azure ATP’s security alerts guide.
LMPs are a natural side-effect of every identity hierarchy, as shown in the following example:
In this example, Joe Helpdesk is a well-known user in the CFO’s LMP. Joe Helpdesk is considered sensitive because they can obtain the CFO credentials stored on the CFO’s laptop device, on which Joe Helpdesk is a local administrator.
The risk created by LMPs starts to increase when additional (often overlooked) logged in sessions, group memberships and local administrator privileges are introduced into the identity hierarchy as the organization grows, for example:
In this case, both User1 & User2 can be leveraged to gain the CFO’s credentials since they have local administrator privileges on a device (Finance Server) that the CFO is logged into. From the Finance Server, these LMPs can grow exponentially, often become overwhelming to assess or attempt to remediate—this is where Azure ATP comes in.
When investigating a user or responding to a suspicious activity alert, Azure ATP already shows security analysts if that user is a part of an existing LMP, helping them understand if any immediate action is required. Beyond responsive LMP hunting, proactive measures to reduce large LMPs before potential breaches can be actualized reduces risk and improves the security posture of the entire organization.
Azure ATP’s Riskiest Lateral Movement Path security assessment brings proactive LMP hunting from theory to reality.
In this example, we see that removal of the local administrator privileges from the Finance Users group to the finance server reduces the CFO’s LMP by 2 non-sensitive users.
To identify and proactively hunt and remediate this risky lateral movement paths, we used the Riskiest Lateral Movement Paths assessment report, a component of the Azure ATP identity security posture feature, part of the new Identity Threat Investigation experience.
In this security posture assessment, we analyze all potentials LMPs for every sensitive user and calculate their risk and number of unique non-sensitive users in each entity’s path, along with the recommended actions an identity administrator can take to reduce the LMPs.
Each action provides 2 main types of data:
- What should you do?
- Remove an entity from a group
- Remove an entity from the Local administrators group on a device
- Explain what the resulting impact on the LMP risk is
- On the specific sensitive user LMP
- On all sensitive user LMPs (this action may be part of several paths)
With this assessment, identity teams can view and take immediate proactive measures on existing risky lateral movement paths, reducing the ways an attacker could possibly compromise sensitive entities and directly improving your organizational security posture.
For more information regarding lateral movement paths see
* Security assessment: Riskiest lateral movement paths (LMP)
* Azure ATP Lateral Movement Paths
* Tutorial: Use Lateral Movement Paths
* Reduce your potential attack surface using Azure ATP Lateral Movement Paths
* MITRE ATT&CK™ - Lateral movement
Or Tsemah, Product Manager, Azure ATP
Updated May 11, 2021
Version 5.0
Or Tsemah
Microsoft
Microsoft
