<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

What Is Lateral Movement? (And How to Detect & Prevent It)

Lateral movement techniques are a sophisticated and increasingly common way threat actors infiltrate and gain control of networks. In this article, we’ll review what lateral movement is, how it works, and how to protect against attacks. You’ll also learn about lateral movement paths, how to identify them, and steps you can take to improve your security posture against lateral movement techniques.

What is Lateral Movement?

Lateral movement is when an attacker gains initial access to one part of a network and then attempts to move deeper into the rest of the network — typically via remote desktop tools or remote administration tools (RATs).

Penetrating the security perimeter is considered a vertical movement (moving from the outside in). But once a bad actor has a foothold in your network, they can move through the network’s systems and machines horizontally—i.e., laterally—along what are called lateral movement paths (LMPs).

Lateral Movement Paths (LMPs)

LMPs are the steps an attacker takes to navigate your network and gain additional access to secure data.

There are numerous LMPs an attacker can use to gain further access to a network. And the risk created by LMPs grows as the organization grows. In other words, the more users join the network, the more logged-in sessions there are (which can be easily overlooked), and the more local administrator privileges are introduced to the network hierarchy.

Some of the most common methods of attack, such as credential theft and Pass the Ticket attacks, involve exploiting non-sensitive machines that share stored log-in credentials with sensitive machines. The non-sensitive machines essentially provide a bridge to the high-value, sensitive data attackers are interested in. In fact, research estimates that 85% of breaches involved a human element and, relatedly, that phishing and ransomware attacks went up by 11% and 6%, along with a 15-fold increase in misrepresentations to acquire credentials.

Lateral movement allows the attacker to retain access and avoid detection even if they’re discovered on the first infected machine.

How bad actors navigate LMPs

Step 1: Reconnaissance

After an attacker gets a foothold in the network, the next step is to perform internal reconnaissance to understand where they are in the network and what the structure looks like. During this stage, the attacker observes and maps the network, as well as its users and devices. With this information, they can uncover host naming conventions and hierarchies, identify operating systems and firewalls, and make strategic decisions about where to go next.

Step 2: Privilege Escalation

To infiltrate and move through a network, the attacker needs login credentials. They will then use those credentials to access and compromise other hosts, moving from device to device and escalating their privileges along the way—eventually gaining control of their target, such as a domain controller, a critical system, or sensitive data.

Stealing credentials is called credential dumping. Often, attackers will use social engineering tactics like phishing to trick users into sharing their credentials.

Step 3: Expanding access

By collecting credentials, the attacker can impersonate a user and gain what appears to be legitimate access to more hosts and servers. These steps can be repeated until the attacker gains access to their ultimate target and can exfiltrate data or sabotage key systems.

Lateral movement enables an attacker to maintain persistence within the network—even if one compromised device is discovered by the security team, the attacker has extended their presence across other devices, making it more difficult to eradicate them from the network.

That is why it is so important for security teams to understand and identify the potential LMPs within their networks.

Lateral Movement Detection

You already have security measures to keep bad actors out of your network. But what happens if they get past your perimeter defenses?

Today, security teams must move faster than ever to detect and eliminate threats. The average breakout time (the time it takes threat actors to move from initial access to lateral movement) fell by 67% over the past year—with more than one-third of adversaries breaking out in less than 30 minutes.

And once an attacker gains access to your network and secures valid credentials, it can be difficult to detect their movement because it can appear to be normal network traffic. In order to detect (and ultimately protect against) lateral movement, security teams need to know how adversaries can propagate within their systems and identify which critical assets they can reach.

Easier said than done.

Effectively detecting lateral movement in your network will typically require a combination of approaches, including mapping your LMPs and conducting real-time monitoring and investigation.

Mapping LMPs

Identifying potential LMPs within your network puts you a step ahead of would-be attackers. This includes reviewing your network infrastructure and organizational hierarchy to uncover weaknesses—i.e., connections between non-sensitive and sensitive data, devices, or systems.

For instance, if you have one or more non-sensitive users with local admin privileges on a CFO’s laptop, that represents a vulnerable LMP. Once you map those potential pathways, you can take steps to reinforce, isolate, and secure those connections.

Monitoring and alerts

Because lateral movement involves remote control operated by a human (and not a machine), network traffic analysis tools can be programmed to quickly recognize suspicious behavior like attempts at internal reconnaissance.

Implement real-time monitoring to collect, normalize, and correlate data across your network and alert you to suspicious activity. Aggregating alerts will allow you to observe the progression and compounding activity of a threat—helping you zero in on real threats faster.

Investigation and behavioral analysis

In addition to monitoring and identifying LMPs, conduct regular behavioral analysis to investigate and surface any unusual activity in your network.

User and entity behavior analysis (UEBA) uses machine learning to identify patterns of behavior for each user, define the baseline (normal activity), and determine the significance of any activity that deviates from the norm. Understanding these pattern deviations can help you uncover suspicious activity and provide the evidence needed to support further investigation.

How to Prevent Lateral Movement and Improve Your Defensive Posture

Reducing the time it takes to detect and respond to a threat is key to limiting the damage (and costs) of lateral movement attacks. Enhance your security posture and prevent lateral movement across your network by taking the following steps:

  • Evaluate your security strategy and ensure it includes both preventative solutions that stop intrusions in their tracks as well as detection and response solutions to automatically identify threats.

  • Update your endpoint security solution. Many organizations still use legacy and standard security measures that are easily bypassed and compromised. Upgrade to a modern, comprehensive security solution that can detect and respond to threats faster.
  • Separate functional duties (e.g., separate user and admin accounts) to minimize connections between sensitive and non-sensitive data.

  • Enforce the Principle of Least Privilege (PoLP) that limits permissions to only those who need it. This reduces the number of people who can access sensitive data, thus reducing your attack surface.

  • Implement network segmentation to isolate sensitive data from each other and prevent lateral movement outside the segment. That way an intrusion can be contained to one segment of your network, limiting the scope of the potential damage.

  • Use multi-factor authentication (MFA) to validate user identities and make it harder for adversaries to access credentials. MFA adds an extra step (or two more) to the validation process, reducing the speed and ability of attackers to gain access to logins.

  • Limit unnecessary lateral communications. Unfiltered peer-to-peer communications introduce major vulnerabilities to a network that could allow intruders to create backdoors and spread across your systems. Limit communications with host-based firewall rules that deny the flow of packets from other hosts in the network.

  • Maintain good IT hygiene by regularly updating systems and applying patches. Outdated and unpatched systems are extra vulnerable to attack and can hide threats from detection until it’s too late.

Modernize your network security with StrongDM

Today, a staggering 54% of the techniques and tactics used to execute testing of lateral movement were missed—and 97% of the behaviors executed did not have a corresponding alert generated in the SIEM.

IT teams need comprehensive, modern security solutions that strengthen their defensive posture and stop lateral movement attacks in their tracks.

StrongDM can help.

StrongDM is a software-defined network that helps you

  • Manage robust authorization and authentication.
  • Enforce least privilege for more secure, role-based access controls.
  • Limit your network attack surface.
  • Audit network activity to record and isolate threats.
  • Monitor your network in real-time to spot threats when and where they first occur.

Try StrongDM today.

About the Author

, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

CISA Zero Trust Maturity Model
CISA Zero Trust Maturity Model (TL;DR Version)
In the 1990s, the TV series “The X-Files” made the phrase “Trust No One” popular. Now, with cybercrime increasing at an alarming rate, “trust no one” – or Zero Trust – is a phrase echoing through enterprises. In 2021, the average number of cyberattacks and data breaches increased by 15.1%. That same year, the U.S. government spent $8.64 billion of its $92.17 billion IT budget to combat cybercrime. It also released the CISA Zero Trust Maturity Model.
DoD Zero Trust Strategy Explained (TL;DR Version)
DoD Zero Trust Strategy Explained (TL;DR Version)
On the heels of President Joe Biden’s Executive Order (EO) 14028, the memo recommending Zero Trust Architecture to protect US government computers, the US Department of Defense (DoD) issued its own Department of Defense Zero Trust Strategy. Published in October 2022, the DoD Zero Trust Strategy addresses the rapid growth of cyber threats and the need for an enhanced cybersecurity framework.
Zero Trust vs. SASE: Everything You Need to Know
Zero Trust vs. SASE: Everything You Need to Know
Concerned about providing secure access to the data and tools employees need to do their jobs in a cloud or hybrid environment? Don’t worry. Solid strategies exist for protecting distributed resources. Zero Trust and SASE are two architectural approaches that provide strong security in today’s cloud-first world. The information in this article will help you decide which strategy works best for your business. Robust cloud security is attainable.
Have You Nailed Zero Trust (Webinar)
Have You Nailed Zero Trust?
Recipe for Zero Trust is just 7 ingredients. Where does it go wrong? Why is it so hard to nail? This webinar breaks it down in simple steps.
What is an Attack Vector? 15 Common Attack Vectors to Know
What is an Attack Vector? 15 Common Attack Vectors to Know
In this article, we’ll take a deep dive into attack vectors. You’ll learn what they are, the most common types, how they’re used, and why hackers continually use them to exploit vulnerabilities. By the end of this article, you'll have a thorough understanding of the fifteen most common types of attack vectors and what you can do to prevent your organization from falling victim to them.