Lateral Movement Detection and Prevention Playbook

December 17, 20233 min read

Assess the company’s ability to detect and prevent lateral movements within the network.
Test and improve the incident response protocols.
Find vulnerabilities and weaknesses within the network structure.
Improve the overall cybersecurity posture of the company.

Amelia is the Head of IT at Evergreen Inc., an international pharmaceutical company. In recent times, they have been trying to develop a breakthrough medicine which would revolutionize healthcare and put them at the forefront of the industry. Due to the nature of their work, Evergreen’s data is highly sensitive and invaluable, making them a prime target for cybercriminals.
Recently, their competitor’s network was compromised by a murky cybercriminal syndicate. Amelia fears that Evergreen could be the next target. To secure the network and protect the proprietary information, she decided to conduct a Cyber Range Exercise. The scenario was aimed at detecting and preventing lateral movements within the network, which is an increasingly common tactic used by attackers to gain unauthorized access to the network and move across it.
Her team had installed various cybersecurity products and established protocols, but there was no practical experience of confronting and combating real-time cyber-attacks. This exercise was designed to fill that gap. It was going to make her team aware of the attack patterns and improve their incident response mechanisms, ensuring that they could quickly and effectively mitigate such incidents in the future.

First, an internal red team member plays the role of an attacker who successfully exploits a vulnerability in a web server that has been intentionally left vulnerable as part of the exercise.
The attacker then uses this initial intrusion point to install a backdoor, allowing them to return to the system at any time.
Through the backdoor, the attacker employs lateral movement techniques to gain access to parts of the network not directly connected to the initial intrusion point.
They use credential dumping to gain legitimate login details, allowing them to blend in with normal network traffic and making detection more difficult.
The attacker aims to reach a sensitive server containing proprietary information of the company.
Meanwhile, the defense team (blue team) uses the security tools and their knowledge to identify the unusual activities and patterns from the logs.
They correlate the information across various security tools, launch an investigation and isolate the compromised systems.
Afterward, the team aims to remove the access of the red team member by patching the exploited vulnerability and changing compromised credentials.
At the end of the exercise, both teams meet and review the activities and lessons learned from the exercise.