Preventing Lateral Movement Attacks in Cybersecurity


What is lateral movement:

Lateral movement refers to the process where an attacker gains access to one system and then uses that initial access to move laterally across the network to other systems and steal sensitive information.

Why is this important:

Lateral movement is dangerous to a business because:

It allows attackers to bypass traditional perimeter security measures, making accessing sensitive data easier.

It puts confidential business information, financial information, and sensitive government data at risk of theft.

The aftermath of a successful lateral movement attack can result in significant financial losses, damage to a company's reputation, and loss of trust from clients and customers.

How is a lateral movement attack executed:
A lateral movement attack is done through several stages:
  • Initial Access: The attacker gains access to a system, typically through methods such as phishing, malware, or unpatched vulnerabilities.
  • Discovery: The attacker scans the network to identify other systems and gather information about the network's structure and users.
  • Privilege Escalation: The attacker then tries to elevate their privileges to administrative-level access on the systems they have identified.
  • Lateral Movement: With higher privileges, the attacker can move laterally across the network, accessing systems and data that would otherwise be restricted.
  • Data Exfiltration or Encrypting: The attacker steals sensitive data and removes it from the network, or encodes the data for ransom.

  • The attacker may repeat these stages multiple times, accessing more systems and stealing more data with each iteration. It is important to note that lateral movement attacks can take place over extended periods of time, allowing the attacker to go undetected while they gather information and steal data.

How do you prevent lateral movement attacks?
The standard advice is to implement multi-factor authentication, access control measures, and network segmentation to stop lateral movement and protect your network. Multi-factor authentication requires users to provide multiple forms of identification before accessing the network, such as passwords and biometrics. Access control measures limit what users can do on the network. Network segmentation divides your network into smaller, isolated segments, making it more difficult for an attacker to move laterally across the network and steal sensitive data.

What’s unique about Cipherise?
Cipherise is different because it prevents lateral movement by:

Enabling mutual zero trust MFA on every engagement. This means we cryptographically sign each user and each system with its own set of decentralised public and private key pairs for each and every service.  

If an attack was successful, the business impact means the attacker only gets access to one session for one user and one system, not all users and all systems. An attacker can't even do a replay attack.

For a non-technical board member, it means that Cipherise has contained the attacker, so they can’t get out.

In addition, decentralised means that Cipherise never captures or stores any secrets, they’re with the end user, on the hardware security module of their phone.

The events you unfortunately see with other providers losing client details is impossible with Cipherise. Cipherise never had credentials to start with. Cipherise can’t lose what it doesn’t have!  

Cipherise’s design simplifies the user experience because, at the simplest level, all the user sees is a QR code which the entire population is familiar with in a post Covid world.

The genius behind Cipherise, is the decentralisation and zero trust model. For the end user, it means that it fails if they are on the receiving end of a phishing attack.  There is no credential to harvest, disarming the phishing process by design. An unauthorised account can’t access your site because the cryptography is entangled between the end user and your service. Cipherise has worked out the entanglement making passwords irrelevant. We’re just the folks who worked this out and patented it. Welcome to the next generation of user experience, privacy for users, and risk reduction for boards.

You're welcome !