Spear phishing

Phishing attacks against organizations can be divided into two types – those targeting lots of people in the organization and those targeting only a select group or even an individual, also known as spear phishing.

The problem with attacking lots of people is that it tends to be noticed, and success is a game of percentages.

Spear phishing, on the other hand, is a lot more work. But when it succeeds, it often snares a victim who has higher privileges. Spear phishing depends on two principles: selective targeting and some degree of social engineering. It’s the combination that makes it so dangerous.

For example, a generic phishing attack might ask a user to reset their Microsoft 365 account credentials. A spear phishing attack, on the other hand, will make the same request but include the target’s name and business unit, mimicking the language of a genuine password reset request from that organization. Anyone can be fooled some of the time.

Lateral movement

Lateral movement is the art of gaining access to a network or cloud instance through a low-value compromise which is used to target high-value resources deeper inside the network. Or, if you like, moving sideways to great effect (also known as a horizontal kill chain).

For defenders, this is a huge problem. Perimeter network defense has evolved to keep people out, not stop them once they get in.

In an Active Directory context, the purpose of lateral movement is to hunt for new Active Directory credentials (especially the domain administrator) through which to increase privileges and spread.

These can be contained with least privilege, zero trust authentication, by limiting local accounts with admin access, and by segmenting the network with separate domain controllers for each network.

See also, Active Directory Insider Threats.