Increasing Visibility to Find Signs of Reconnaissance and Lateral Movement

Increasing Visibility to Find Signs of Reconnaissance and Lateral Movement-purple

Establishing an ATP (advanced persistent threat) has long been the goal of cyberattacks. By remaining undetected in the target environment, cyberthreats can lay in wait for more opportunities to cause maximum disruption, access valuable data, or obtain privileged account access.

As the complexity of cyberattacks has risen, so have the sophistication of their common TTPs (techniques, tactics, and procedures) for establishing ATP within and exploiting networked systems.

Two facets play a crucial role in these types of attacks: Reconnaissance and lateral movement.


LIFARS Managed Threat Hunting and Response Service (MTH&R) was designed to help customers uncover adversaries across your Endpoint, Network and SIEM data. Our elite team has decades of combined experience working within their Governmental CSIRT responding and hunting for adversaries from 100’s of attacks, including Ransomware and APT’s.


What is reconnaissance?

Reconnaissance can be considered as an initial stage of and leading to lateral movement in the system. This involves the attacker or malware mapping out the target system, including devices, networked routes, users, etc.

This gives the attacker insight into the network hierarchies and naming conventions as well as to identify the operating system, exploitable hardware/software, high-value targets, security controls, and general intelligence to carry out the attack more efficiently.

Attackers may use a variety of tools, such as open-source port scanners or even compromised built-in system utilities for reconnaissance. Some of the more common tools used are Netstat, IPConfig, ARP Cache, and PowerShell.

What is lateral movement?

The ultimate goal is to spread as far throughout and as deeply within a system or network as possible. Being able to spread infection or illicit access from a single device or user account to other devices, user accounts, or software programs is key to maximizing the opportunity after an initially successful infiltration.

However, just because an attacker has reconnoitered a target system or network, doesn’t mean they have the ability to exploit it, yet. That’s why there’s often an intermediary step involved, called “credential dumping” or “credential hacking.”

Obtaining user credentials is the easiest, least conspicuous, and most effective way to access sensitive systems. In fact, most attacks on businesses today still rely on some form of human error for the initial infiltration. Attackers can use a variety of techniques, such as typosquatting, social engineering, phishing, or even brute-force tactics to try and obtain user credentials.

Mimikatz is a particularly popular malware tool used in tandem with other malicious software to steal cached plaintext passwords or authentication certificates from memory.

A logical next step is to try and escalate privileges by obtaining the credentials of more privileged users.

How to detect and prevent reconnaissance and lateral movement?

The faster and more freely a malicious presence can spread through your network, the more difficult it will be to isolate, remove, carry out digital forensic, and recover from an attack. It will also mean more of your systems will be left vulnerable to attack, data exfiltration, manipulation, or damage/loss.

This is particularly true if an attacker is able to gain administrator privileges

The key to limit and mitigate the damage is to have clear visibility across your systems and to detect anomalous activity as soon as possible. Cutting down on metrics like MTTD (Mean time to detect) and MTTR (mean time to respond) have been proven to lead to significant decreases in the financial loss incurred by an attack.

You can implement these steps to increase your visibility and limit the spread of threats:

Update Your Security Solution: New 0-day exploits and vulnerabilities are still being discovered by the day for both old and new systems. These exploits are typically quickly addressed by original software creators and security patches released with new scheduled/unscheduled updates. It’s crucial that you keep your eyes open for these security advisories and update your systems accordingly. You may also want to look at Security Information and Event Management (SIEM) tools which are made to provide increased security awareness in complex systems.

Proactively Hunt For Threats: Even with a world-class and well-maintained endpoint security solution, your systems are not 100% safe. Sophisticated attacks may also use obfuscating techniques or mimic standard network traffic to avoid automated detection. With the huge number of security threats facing organizations today, threat hunting burnout due to volume and false positives is also a real concern. You need real security experts at hand to immediately investigate any anomalous activity or act on warnings from your endpoint security solutions. This may also involve augmenting your teams with additional SecOps manpower if you’re lacking resources.

As a final thought, you can use these three questions to help you identify shortcomings and improve your systems visibility:

  • What network controls do I have in place to discover and limit device activity?
  • What percentage of my environment is covered by log and endpoint data?
  • How do I track normal and abnormal account activity?