What is Lateral Movement?
Lateral movement refers to the techniques that a cyber-attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. Lateral movement techniques are widely used in sophisticated cyber-attacks such as advanced persistent threats (APTs). An adversary uses these techniques to access other hosts from a compromised system and get access to sensitive resources, such as mail systems, shared folders, and legitimate credentials, ultimately gaining access to the identified target. Lateral movement techniques enable a threat actor to avoid detection and retain access over an extended dwell time of weeks, or even months, after the initial breach.
What are the Stages of Lateral Movement?
There are three primary stages of lateral movement: reconnaissance, credential/privilege gathering, and gaining access to other resources in the network.
How Does an Adversary Gain Unauthorized Access to a Kubernetes Cluster?
In a Kubernetes cluster, an attacker will gain initial access by compromising a pod. Once the pod is compromised, there are three main areas where the attacker can begin reconnaissance and move through the lateral movement stages to learn more about the cluster: the cloud provider metadata service, the pod networking and filesystem, and the Kubernetes API service.
Once an attacker secures administrative privileges and gains deeper access into a network, malicious lateral movement can be very difficult to detect because it can appear to be “normal” network traffic. Left undetected, an attacker using lateral movement techniques can cause significant disruption. So it’s essential to find and remove these intruders as quickly as possible to avoid costly losses.
Detecting and Defending Against Lateral Movement
Fortunately there are effective ways to detect lateral movement in a Kubernetes cluster. Global Alerts, a unique feature in Calico Enterprise, provides advanced threat and lateral movement detection capabilities for Kubernetes workloads in the private and public cloud. With Calico Enterprise Global Alerts, you can quickly identify malicious behavior and significantly reduce dwell time by uncovering this activity in its early stages.
Want to learn more?
Watch this on-demand webinar, Detecting Lateral Movement and Defending Against Attackers, presented by Tigera security threat researcher Garwood Pang.
Get updates on blog posts, new releases and more!