Cyberattackers progressively move through a network as they search for key data and assets that ultimately fulfill their mission. This is referred to as lateral movement.
When an attacker compromises a cloud asset, usually that machine is not their target, but rather the path to it.
After successful infiltration, they perform reconnaissance—exploring not just that machine, but also its network for information (risks) that might provide them with escalated privileges and access to other assets.
So armed, they then use their gathered information to move from the initially compromised machine across the cloud estate until their mission is fulfilled.
A difference exists between detecting actual lateral movement and detecting the risk of lateral movement.
Existing solutions can detect actual lateral movement, but can’t detect private keys, passwords in shell history, or other information that could be leveraged by an attacker to move laterally on your environment.
Consider the following example. Servers A and B never communicate with one another, but A has a key that allows root access to B.
Existing tools would inform you there is no lateral movement. They would be correct because there is no traffic between the two machines. But they would completely miss an insecurely stored SSH key on server A that provides root access to server B.
This poses a lateral movement risk. For an attacker to stumble upon an insecurely stored key is like finding gold. They now test to learn which machines the key provides access to and voila, they now have access to both A and B.
To prevent an attacker from moving laterally, it’s essential to know where sensitive information, such as insecurely stored keys, is located across your entire cloud environment.
Orca Security scans your entire cloud account in a holistic manner. It peers into each machine’s filesystem for private keys, such as on server A, taking a hash of each found.
It then checks the authorized key configuration across all other assets for public keys. If any are found, such as on server B, Orca calculates hashes and compares the private key hash to find a match. If there is, Orca sends an alert as seen in the image below:
From the image above we see that Orca provides:
Other lateral movement risks Orca finds are:
For another perspective, check out my colleague Patrick Pushor’s presentation below on Lateral Movement Attacks that he presented at the Cobolt.io Sec Talks Virtual Conference.
Keep up to date with everything you need to know about cloud security and our latest research