The Challenges and Why Catching Lateral Movement Is Your Biggest Win

This is to continue what I have started earlier in my previous post, Lateral Movement - Techniques, Tactics & Procedures. Today I will highlight the challenges and why catching lateral movement is your biggest win. 

The Challenges
On average it takes over 7 months from initial compromise to a breach being discovered.

So if detecting lateral movement is so powerful, why aren’t more companies doing it? It’s not for want of trying.

Unfortunately, monitoring internal networks is hard. Companies have tried log analysis, SIEM’s, anomaly based detection and machine learning. But the volume of data is in petabytes, and even the best predictive analytics solutions generate a huge number of false positives.

The problem is so bad, that in the average company, less than 4% of alerts are even investigated! This is because the volume and irrelevance of alerts leads security teams to disable or ignore these monitoring solutions.

Why Catching Lateral Movement Is Your Biggest Win?

Conventional wisdom states that ‘prevention is better than cure’. Unfortunately, the attack surface of modern companies is so large, that protection is akin to building a fence around a national border. You can try, but it’s not going to keep a determined attacker out.

Smokescreen Research shows that 80% of an attack is spent during lateral movement. The actual breach occurs fairly rapidly, and the final goal is quickly accomplished as well.  

It’s moving from initial breach to the final goal that takes hackers time and resources.

Even the most savvy attacker is operating ‘blind’ once in the network. They may know where the assets are, but they have to move slowly and stealthily to get there.

If you can catch them during this process, it’s game over for the attacker!