<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

We're blowing the whistle on Legacy PAM 🏀 Join us for an Access Madness Webinar on March 28

Search
Close icon
Search bar icon

What Is Lateral Movement? (And How to Detect & Prevent It)

Lateral movement techniques are a sophisticated and increasingly common way threat actors infiltrate and gain control of networks. In this article, we’ll review what lateral movement is, how it works, and how to protect against attacks. You’ll also learn about lateral movement paths, how to identify them, and steps you can take to improve your security posture against lateral movement techniques.

What is Lateral Movement?

Lateral movement is when an attacker gains initial access to one part of a network and then attempts to move deeper into the rest of the network — typically via remote desktop tools or remote administration tools (RATs).

Penetrating the security perimeter is considered a vertical movement (moving from the outside in). But once a bad actor has a foothold in your network, they can move through the network’s systems and machines horizontally—i.e., laterally—along what are called lateral movement paths (LMPs).

Lateral Movement Paths (LMPs)

LMPs are the steps an attacker takes to navigate your network and gain additional access to secure data.

There are numerous LMPs an attacker can use to gain further access to a network. And the risk created by LMPs grows as the organization grows. In other words, the more users join the network, the more logged-in sessions there are (which can be easily overlooked), and the more local administrator privileges are introduced to the network hierarchy.

Some of the most common methods of attack, such as credential theft and Pass the Ticket attacks, involve exploiting non-sensitive machines that share stored log-in credentials with sensitive machines. The non-sensitive machines essentially provide a bridge to the high-value, sensitive data attackers are interested in. In fact, research estimates that 85% of breaches involved a human element and, relatedly, that phishing and ransomware attacks went up by 11% and 6%, along with a 15-fold increase in misrepresentations to acquire credentials.

Lateral movement allows the attacker to retain access and avoid detection even if they’re discovered on the first infected machine.

How bad actors navigate LMPs

Step 1: Reconnaissance

After an attacker gets a foothold in the network, the next step is to perform internal reconnaissance to understand where they are in the network and what the structure looks like. During this stage, the attacker observes and maps the network, as well as its users and devices. With this information, they can uncover host naming conventions and hierarchies, identify operating systems and firewalls, and make strategic decisions about where to go next.

Step 2: Privilege Escalation

To infiltrate and move through a network, the attacker needs login credentials. They will then use those credentials to access and compromise other hosts, moving from device to device and escalating their privileges along the way—eventually gaining control of their target, such as a domain controller, a critical system, or sensitive data.

Stealing credentials is called credential dumping. Often, attackers will use social engineering tactics like phishing to trick users into sharing their credentials.

Step 3: Expanding access

By collecting credentials, the attacker can impersonate a user and gain what appears to be legitimate access to more hosts and servers. These steps can be repeated until the attacker gains access to their ultimate target and can exfiltrate data or sabotage key systems.

Lateral movement enables an attacker to maintain persistence within the network—even if one compromised device is discovered by the security team, the attacker has extended their presence across other devices, making it more difficult to eradicate them from the network.

That is why it is so important for security teams to understand and identify the potential LMPs within their networks.

Lateral Movement Detection

You already have security measures to keep bad actors out of your network. But what happens if they get past your perimeter defenses?

Today, security teams must move faster than ever to detect and eliminate threats. The average breakout time (the time it takes threat actors to move from initial access to lateral movement) fell by 67% over the past year—with more than one-third of adversaries breaking out in less than 30 minutes.

And once an attacker gains access to your network and secures valid credentials, it can be difficult to detect their movement because it can appear to be normal network traffic. In order to detect (and ultimately protect against) lateral movement, security teams need to know how adversaries can propagate within their systems and identify which critical assets they can reach.

Easier said than done.

Effectively detecting lateral movement in your network will typically require a combination of approaches, including mapping your LMPs and conducting real-time monitoring and investigation.

Mapping LMPs

Identifying potential LMPs within your network puts you a step ahead of would-be attackers. This includes reviewing your network infrastructure and organizational hierarchy to uncover weaknesses—i.e., connections between non-sensitive and sensitive data, devices, or systems.

For instance, if you have one or more non-sensitive users with local admin privileges on a CFO’s laptop, that represents a vulnerable LMP. Once you map those potential pathways, you can take steps to reinforce, isolate, and secure those connections.

Monitoring and alerts

Because lateral movement involves remote control operated by a human (and not a machine), network traffic analysis tools can be programmed to quickly recognize suspicious behavior like attempts at internal reconnaissance.

Implement real-time monitoring to collect, normalize, and correlate data across your network and alert you to suspicious activity. Aggregating alerts will allow you to observe the progression and compounding activity of a threat—helping you zero in on real threats faster.

Investigation and behavioral analysis

In addition to monitoring and identifying LMPs, conduct regular behavioral analysis to investigate and surface any unusual activity in your network.

User and entity behavior analysis (UEBA) uses machine learning to identify patterns of behavior for each user, define the baseline (normal activity), and determine the significance of any activity that deviates from the norm. Understanding these pattern deviations can help you uncover suspicious activity and provide the evidence needed to support further investigation.

How to Prevent Lateral Movement and Improve Your Defensive Posture

Reducing the time it takes to detect and respond to a threat is key to limiting the damage (and costs) of lateral movement attacks. Enhance your security posture and prevent lateral movement across your network by taking the following steps:

  • Evaluate your security strategy and ensure it includes both preventative solutions that stop intrusions in their tracks as well as detection and response solutions to automatically identify threats.

  • Update your endpoint security solution. Many organizations still use legacy and standard security measures that are easily bypassed and compromised. Upgrade to a modern, comprehensive security solution that can detect and respond to threats faster.
  • Separate functional duties (e.g., separate user and admin accounts) to minimize connections between sensitive and non-sensitive data.

  • Enforce the Principle of Least Privilege (PoLP) that limits permissions to only those who need it. This reduces the number of people who can access sensitive data, thus reducing your attack surface.

  • Implement network segmentation to isolate sensitive data from each other and prevent lateral movement outside the segment. That way an intrusion can be contained to one segment of your network, limiting the scope of the potential damage.

  • Use multi-factor authentication (MFA) to validate user identities and make it harder for adversaries to access credentials. MFA adds an extra step (or two more) to the validation process, reducing the speed and ability of attackers to gain access to logins.

  • Limit unnecessary lateral communications. Unfiltered peer-to-peer communications introduce major vulnerabilities to a network that could allow intruders to create backdoors and spread across your systems. Limit communications with host-based firewall rules that deny the flow of packets from other hosts in the network.

  • Maintain good IT hygiene by regularly updating systems and applying patches. Outdated and unpatched systems are extra vulnerable to attack and can hide threats from detection until it’s too late.

Modernize your network security with StrongDM

Today, a staggering 54% of the techniques and tactics used to execute testing of lateral movement were missed—and 97% of the behaviors executed did not have a corresponding alert generated in the SIEM.

IT teams need comprehensive, modern security solutions that strengthen their defensive posture and stop lateral movement attacks in their tracks.

StrongDM can help.

StrongDM is a software-defined network that helps you

  • Manage robust authorization and authentication.
  • Enforce least privilege for more secure, role-based access controls.
  • Limit your network attack surface.
  • Audit network activity to record and isolate threats.
  • Monitor your network in real-time to spot threats when and where they first occur.

Try StrongDM today.


About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Context-Based Access Controls: Challenges, Importance & More
Context-Based Access Controls: Challenges, Importance & More
Context-based access controls refer to a dynamic and adaptive approach to managing security policies in modern infrastructure. Addressing challenges in enforcing consistent security across diverse platforms, these policies consider factors such as device posture and geo-location to adjust access controls dynamically. By narrowing access based on contextual parameters, they reduce the attack surface, enhance security, and streamline policy administration, ensuring compliance in evolving environments.
How to Prevent Man-in-the-Middle Attacks: 10 Techniques
10 Ways to Prevent Man-in-the-Middle (MITM) Attacks
It’s difficult to detect MITM attacks, and attackers can target anyone online. Hackers can capture user credentials from customers by attacking sites or apps that require login authentication. They may also target businesses with sites or apps that store customer or financial information.Want to know how to prevent man-in-the-middle attacks? Follow these 10 proven strategies.
Unmasking Cozy Bear (APT29): The Urgent Need for Continuous Authorization
Unmasking Cozy Bear (APT29): The Urgent Need for Continuous Authorization
Cozy Bear specializes in targeting governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the U.S. and Europe. These state-sponsored groups aim to clandestinely gather strategic and sensitive information for Russia, maintaining prolonged access without raising suspicions.
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
The way that people work continues to evolve, and as a result, so do the ways that they must authenticate into their organization’s resources and systems. Where once you simply had to be hardwired into the local office network, now you must expand your perimeter to include remote and hybrid workforces, on-prem and cloud environments, and take into account a growing list of factors that impact how and where people access critical company resources.
The Importance of Continuous Zero Trust Authorization
Never Done: The Importance of Continuous Zero Trust Authorization
Adherents to the Zero Trust security model, live according to a policy of “never trust, always verify.” It requires all devices and users to be authenticated, authorized, and regularly validated before being granted access, regardless of whether they are inside or outside an organization's network. But the catch is that authentication and authorization don’t just happen at the first touch.