What is lateral movement?

Lateral movement isn't a feature of every cyberattack, but it can be one of the most damaging cybersecurity threats. This is because lateral movement relies on user credential theft to reach progressively deeper inside a breached network. This type of breach requires a more complex incident response by security teams and typically has a longer response lifecycle than any other infection vector.

Broadly speaking, lateral movement attacks have two parts: an initial breach followed by internal movement. Hackers must first gain access to a network by evading endpoint security. They might use phishing attacks or malware to compromise a device or an application, or gain initial access through an open server port.

After the attackers are inside, they can begin branching out to other areas of the network through these stages of lateral movement:

After they have gained a foothold, attackers map out the network and plan a route to their goal. They look for information on network hierarchies, operating systems, user accounts, devices, databases and apps to understand how these assets are connected. They might also scope out network security controls, then use what they learn to dodge security teams.

When hackers understand the network layout, they can use a variety of lateral movement techniques to reach more devices and accounts. By infiltrating more resources, hackers don't just get closer to their goal, they also make it harder to remove them. Even if security operations remove them from one or two machines, they still have access to other assets.

As hackers move laterally, they try to capture assets and accounts with higher and higher privileges. This act is called "privilege escalation." The more privileges that attackers have, the more they can do within the network. Ultimately, hackers aim to obtain administrative privileges, which allow them to go practically anywhere and do virtually anything.

Hackers combine and repeat lateral movement techniques as needed until they reach their target. Often, they seek sensitive information to collect, encrypt and compress for data exfiltration to an external server. Or they might want to sabotage the network by deleting data or infecting critical systems with malware. Depending upon their ultimate goal, hackers might maintain backdoors and remote access points for as long as possible to maximize damage.

Credential dumping: Hackers will steal the usernames and passwords of legitimate users, then “dump” these credentials onto their own machines. They might also steal the credentials of admins who have recently logged in to the device.

Pass the hash attacks: Some systems transform or “hash” passwords into illegible data before transmitting and storing them. Hackers can steal these password hashes and use them to trick authentication protocols into granting permissions for protected systems and services.

Pass the ticket: Hackers use a stolen Kerberos ticket to gain access to devices and services on the network. (Kerberos is the default authentication protocol used in Microsoft Active Directory.)

Brute force attacks: Hackers break into an account by using scripts or bots to generate and test potential passwords until one works.

Social engineering: Hackers can use a compromised employee email account to launch phishing attacks designed to harvest the login credentials of privileged accounts.

Hijacking shared resources: Hackers can spread malware through shared resources, databases and file systems. For example, they might hijack Secure Shell (SSH) capabilities that connect systems across macOS and Linux operating systems.

PowerShell attacks: Hackers can use the Windows command line interface (CLI) and scripting tool PowerShell to change configurations, steal passwords or run malicious scripts.

Living off the land: Hackers can rely on internal assets that they have compromised rather than external malware in later stages of lateral movement. This approach makes their activities appear legitimate and makes them more difficult to detect.

Advanced persistent threats (APT): Lateral movement is a fundamental strategy for APT attack groups, whose aim is to infiltrate, explore and expand their access across a network for an extended period of time. They often use lateral movement to remain undetected while conducting multiple cyberattacks for months or even years.

Cyber espionage: Because the nature of cyber espionage is to locate and monitor sensitive data or processes, lateral movement is a key capability for cyber spies. Nation-states often hire sophisticated cybercriminals for their ability to move freely inside a target network and perform reconnaissance on protected assets without being detected.

Ransomware: Ransomware attackers conduct lateral movement to access and gain control over many different systems, domains, applications and devices. The more they can capture, and the more critical those assets are to an organization’s operations, the greater the leverage they have when demanding payment for their return.

Botnet infection: As lateral movement progresses, hackers gain control over more and more devices across a breached network. They can connect these devices to create a robot network or botnet. A successful botnet infection can be used to launch other cyberattacks, distribute spam email or scam a broad group of target users.

Because lateral movement can rapidly escalate across a network, early detection is critical for mitigating damage and losses. Security experts recommend taking actions that help distinguish normal network processes from suspicious activities, such as:

Analyze user behavior: Unusually high volumes of user log-ons, log-ons that take place late at night, users accessing unexpected devices or applications, or a surge in failed log-ons can all be signs of lateral movement. Behavioral analytics with machine learning can identify and alert security teams of abnormal user behavior.

Protect endpoints: Vulnerable network-connected devices such as personal workstations, smartphones, tablets and servers are the primary targets of cyber threats. Security solutions such as endpoint detection and response (EDR) and web application firewalls are critical for monitoring endpoints and preventing network breaches in real time.

Create network partitions: Network segmentation can help stop lateral movement. Requiring separate access protocols for different areas of a network limits a hacker’s ability to branch out. It also makes it easier to detect unusual network traffic.

Monitor data transfers: A sudden acceleration of database operations or massive transfers of data to an unusual location could signal that lateral movement is underway. Tools that monitor and analyze event logs from data sources, such as security information and event management (SIEM) or network detection and response (NDR), can help identify suspicious data transfer patterns.

Use multi-factor authentication (MFA): If hackers are successful in stealing user credentials, multi-factor authentication can help prevent a breach by adding another layer of security. With MFA, stolen passwords alone will not provide access to protected systems.

Investigate potential threats: Automated security systems can provide false positives while missing previously unknown or non-remediated cyber threats. Manual threat hunting informed by the latest threat intelligence can help organizations investigate and prepare an effective incident response for potential threats.

Be proactive: Patching and updating software, enforcing least privilege system access, training employees on security measures, and penetration testing can help prevent lateral movement. It's vital to continually address vulnerabilities that create opportunities for hackers.