<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

What Is Lateral Movement? (And How to Detect & Prevent It)

Lateral movement techniques are a sophisticated and increasingly common way threat actors infiltrate and gain control of networks. In this article, we’ll review what lateral movement is, how it works, and how to protect against attacks. You’ll also learn about lateral movement paths, how to identify them, and steps you can take to improve your security posture against lateral movement techniques.

What is Lateral Movement?

Lateral movement is when an attacker gains initial access to one part of a network and then attempts to move deeper into the rest of the network — typically via remote desktop tools or remote administration tools (RATs).

Penetrating the security perimeter is considered a vertical movement (moving from the outside in). But once a bad actor has a foothold in your network, they can move through the network’s systems and machines horizontally—i.e., laterally—along what are called lateral movement paths (LMPs).

Lateral Movement Paths (LMPs)

LMPs are the steps an attacker takes to navigate your network and gain additional access to secure data.

There are numerous LMPs an attacker can use to gain further access to a network. And the risk created by LMPs grows as the organization grows. In other words, the more users join the network, the more logged-in sessions there are (which can be easily overlooked), and the more local administrator privileges are introduced to the network hierarchy.

Some of the most common methods of attack, such as credential theft and Pass the Ticket attacks, involve exploiting non-sensitive machines that share stored log-in credentials with sensitive machines. The non-sensitive machines essentially provide a bridge to the high-value, sensitive data attackers are interested in. In fact, research estimates that 85% of breaches involved a human element and, relatedly, that phishing and ransomware attacks went up by 11% and 6%, along with a 15-fold increase in misrepresentations to acquire credentials.

Lateral movement allows the attacker to retain access and avoid detection even if they’re discovered on the first infected machine.

How bad actors navigate LMPs

Step 1: Reconnaissance

After an attacker gets a foothold in the network, the next step is to perform internal reconnaissance to understand where they are in the network and what the structure looks like. During this stage, the attacker observes and maps the network, as well as its users and devices. With this information, they can uncover host naming conventions and hierarchies, identify operating systems and firewalls, and make strategic decisions about where to go next.

Step 2: Privilege Escalation

To infiltrate and move through a network, the attacker needs login credentials. They will then use those credentials to access and compromise other hosts, moving from device to device and escalating their privileges along the way—eventually gaining control of their target, such as a domain controller, a critical system, or sensitive data.

Stealing credentials is called credential dumping. Often, attackers will use social engineering tactics like phishing to trick users into sharing their credentials.

Step 3: Expanding access

By collecting credentials, the attacker can impersonate a user and gain what appears to be legitimate access to more hosts and servers. These steps can be repeated until the attacker gains access to their ultimate target and can exfiltrate data or sabotage key systems.

Lateral movement enables an attacker to maintain persistence within the network—even if one compromised device is discovered by the security team, the attacker has extended their presence across other devices, making it more difficult to eradicate them from the network.

That is why it is so important for security teams to understand and identify the potential LMPs within their networks.

Lateral Movement Detection

You already have security measures to keep bad actors out of your network. But what happens if they get past your perimeter defenses?

Today, security teams must move faster than ever to detect and eliminate threats. The average breakout time (the time it takes threat actors to move from initial access to lateral movement) fell by 67% over the past year—with more than one-third of adversaries breaking out in less than 30 minutes.

And once an attacker gains access to your network and secures valid credentials, it can be difficult to detect their movement because it can appear to be normal network traffic. In order to detect (and ultimately protect against) lateral movement, security teams need to know how adversaries can propagate within their systems and identify which critical assets they can reach.

Easier said than done.

Effectively detecting lateral movement in your network will typically require a combination of approaches, including mapping your LMPs and conducting real-time monitoring and investigation.

Mapping LMPs

Identifying potential LMPs within your network puts you a step ahead of would-be attackers. This includes reviewing your network infrastructure and organizational hierarchy to uncover weaknesses—i.e., connections between non-sensitive and sensitive data, devices, or systems.

For instance, if you have one or more non-sensitive users with local admin privileges on a CFO’s laptop, that represents a vulnerable LMP. Once you map those potential pathways, you can take steps to reinforce, isolate, and secure those connections.

Monitoring and alerts

Because lateral movement involves remote control operated by a human (and not a machine), network traffic analysis tools can be programmed to quickly recognize suspicious behavior like attempts at internal reconnaissance.

Implement real-time monitoring to collect, normalize, and correlate data across your network and alert you to suspicious activity. Aggregating alerts will allow you to observe the progression and compounding activity of a threat—helping you zero in on real threats faster.

Investigation and behavioral analysis

In addition to monitoring and identifying LMPs, conduct regular behavioral analysis to investigate and surface any unusual activity in your network.

User and entity behavior analysis (UEBA) uses machine learning to identify patterns of behavior for each user, define the baseline (normal activity), and determine the significance of any activity that deviates from the norm. Understanding these pattern deviations can help you uncover suspicious activity and provide the evidence needed to support further investigation.

How to Prevent Lateral Movement and Improve Your Defensive Posture

Reducing the time it takes to detect and respond to a threat is key to limiting the damage (and costs) of lateral movement attacks. Enhance your security posture and prevent lateral movement across your network by taking the following steps:

  • Evaluate your security strategy and ensure it includes both preventative solutions that stop intrusions in their tracks as well as detection and response solutions to automatically identify threats.

  • Update your endpoint security solution. Many organizations still use legacy and standard security measures that are easily bypassed and compromised. Upgrade to a modern, comprehensive security solution that can detect and respond to threats faster.
  • Separate functional duties (e.g., separate user and admin accounts) to minimize connections between sensitive and non-sensitive data.

  • Enforce the Principle of Least Privilege (PoLP) that limits permissions to only those who need it. This reduces the number of people who can access sensitive data, thus reducing your attack surface.

  • Implement network segmentation to isolate sensitive data from each other and prevent lateral movement outside the segment. That way an intrusion can be contained to one segment of your network, limiting the scope of the potential damage.

  • Use multi-factor authentication (MFA) to validate user identities and make it harder for adversaries to access credentials. MFA adds an extra step (or two more) to the validation process, reducing the speed and ability of attackers to gain access to logins.

  • Limit unnecessary lateral communications. Unfiltered peer-to-peer communications introduce major vulnerabilities to a network that could allow intruders to create backdoors and spread across your systems. Limit communications with host-based firewall rules that deny the flow of packets from other hosts in the network.

  • Maintain good IT hygiene by regularly updating systems and applying patches. Outdated and unpatched systems are extra vulnerable to attack and can hide threats from detection until it’s too late.

Modernize your network security with StrongDM

Today, a staggering 54% of the techniques and tactics used to execute testing of lateral movement were missed—and 97% of the behaviors executed did not have a corresponding alert generated in the SIEM.

IT teams need comprehensive, modern security solutions that strengthen their defensive posture and stop lateral movement attacks in their tracks.

StrongDM can help.

StrongDM is a software-defined network that helps you

  • Manage robust authorization and authentication.
  • Enforce least privilege for more secure, role-based access controls.
  • Limit your network attack surface.
  • Audit network activity to record and isolate threats.
  • Monitor your network in real-time to spot threats when and where they first occur.

Try StrongDM today.


About the Author

, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Securing Network Devices with StrongDM's Zero Trust PAM Platform
Securing Network Devices with StrongDM's Zero Trust PAM Platform
Let’s talk about the unsung heroes of your on-premises infrastructure: network devices. These are the routers, switches, and firewalls that everyone forgets about…and takes for granted—until something breaks. And when one of those somethings breaks, it leads to some pretty bad stuff. If your network goes down, that’s bad, bad, bad for business. But if those devices lack the necessary security, well, that can leave you exposed in an incredibly dangerous way.
What Is Zero Trust for the Cloud? (And Why It's Important)
What Is Zero Trust for the Cloud? (And Why It's Important)
Zero Trust cloud security is a cybersecurity model that operates on the principle that no user, device, system, or action should be trusted by default — even if it's inside your organization’s own network. This approach minimizes the risk of breaches and other cyber threats by limiting access to sensitive information and resources based on user roles, device security posture, and contextual factors.
What Is Zero Trust Data Protection?
What Is Zero Trust Data Protection?
Zero Trust Data Protection isn't just the best way to safeguard your data — given today's advanced threat landscape, it's the only way. Assuming inherent trust just because an access request is inside your network is just asking for a breach. By implementing the latest tactics in authentication, network segmentation, encryption, access controls, and continuous monitoring, ZT data security takes the opposite approach.
Simplify Database Authorization with Policy-Based Action Control
Simplify Database Authorization with Policy-Based Action Control
As enterprises continue to modernize their IT environments, the need for a more advanced and adaptable approach to database authorization becomes increasingly apparent. Traditional models, with their reliance on static roles and broad permissions, are no longer sufficient to meet the demands of decentralized, dynamic infrastructures. StrongDM addresses this gap by offering a solution that emphasizes fine-grained, policy-based action control, enabling organizations to manage database access with the precision and flexibility required in today’s complex business environments.
StrongDM Now Delivers Continuous Authorization for Databases Through Fine-Grained Policy-based Action Control
Access is no longer the primary challenge in enterprise security; it's the actions of users that are most aligned with managing risk. By focusing on how actions are authorized, StrongDM is giving customers a more effective approach to enterprise security. Our policy-based action control ensures that, in addition to access, every user action is scrutinized, delivering a higher level of security tailored to meet the complex demands of modern enterprises.