Malicious lateral movement, the bolt-on topic you shouldn’t forget about in your awareness training

Malicious lateral movement, what is it? Well, for some companies it isn’t even on their radar because everyone is focusing on not getting phished in the first place. But what if your organisation has already been breached? This is where the malicious lateral movement comes in.

Not so long ago, and it’s been a while since we’ve seen it in the wild, but the malware was distributed through social media platforms and its messenger services. Once one person was compromised it spread like wildfire through messenger spamming family and friends.

Lateral phishing is a type of attack that often follows email account takeover. After an attacker has successfully hacked one email account at an organisation, they can use that account to send phishing emails to the victim’s co-workers. Since the emails are sent from an internal account, they’re usually trusted by security filters as well as recipients.

KnowBe4 – Security Awareness Training Blog
After an attacker has successfully hacked one email account at an organisation, they can use that account to send phishing emails to the victim’s co-workers.

If the breach isn’t picked up when entering the network, then chances are, the second phase of the attack is already underway. This is the part of the attack organisations should be worried about because, according to Barracuda, 42% of employees who receive these phishing email from compromised co-workers, don’t report them.

Barracuda says 63% of these attacks involved generic phishing lures that referenced account errors or claimed that a co-worker has shared a document. 30% of the incidents used more targeted templates that were relevant to a corporate environment. In 7% of the attacks, the attackers crafted highly targeted emails that were tailored to the specific organisation. Additionally, some of the attackers would personally interact with their targets.

Barracuda – KnowBe4 blog

A lot of awareness training fails to mention this topic, focusing too much on how to avoid getting phished in the first place. We highly recommend bolting malicious lateral movement to this section of your training using a few simple recommendations on things to look out for:

  • The tone of voice or the urgency behind the email – Does it seem out of character for your co-worker
  • Is it relating to something you’re working together on or random requests
  • Like normal phishing emails, spelling and grammar are important
  • Agree on email rules as an organisation or team. Don’t share files and links in emails, use collaboration platforms like Microsoft Teams or Slack
  • The slightest suspicion on what your reading, simply pick up the phone and double-check
  • Report, report, report

Something we’ve started to recommend to clients, and usually goes down like a lead balloon, is to move away from personal email accounts altogether and only have, or set-up company, or department inboxes. There are a lot of great collaboration tools out there now; Microsoft Teams, Slack, Trello even Discord for a smaller business. This, in turn, helps your system administration and network security teams by reducing the attack surface. Hundreds, even thousands of access routes are closed off and your teams still have a way of communicating and sharing files in a controlled environment.

I could give a ton of examples, but I’ll leave collaboration sites for another day.