by peter


Lateral Movement Explained


Risk Rating: HIGH
Likelihood: 3/5
Impact: 5/5


  • Lack of internal firewalls and network segmentation
  • Lack of monitoring
  • Poor network management

  • Poor or ineffective vulnerability management
  • Lack of hardening

Lateral Movement Overview

Lateral movement is a technique that adversaries use, after compromising an endpoint, to extend access to other hosts or applications in an organization. Lateral movement helps an adversary maintain persistence in the network and move closer to valuable assets. It can also allow adversaries to gain control of an administrator’s machine and the privileges and data associated with it.

An attacker’s main goal is to access valuable or sensitive information and stealthily exfiltrate or destroy it – while remaining undetected for as long as possible. After the initial compromise, the attacker will learn the network topology, steal credentials, and move laterally by accessing more systems and sensitive data.

What you need to know about Lateral Movement

Lateral movement is hard, if not impossible, for prevention controls to block automatically. Early detection by your Security Team is an essential strategy to shut down the lateral movement. The longer time it takes to detect it, the more damage is done, resulting in far greater investigation and recovery costs.

Even where organisations collect the necessary data needed to uncover lateral movement, the traditional problem is properly using it. Tools like Security Incident and Event Management (SIEM) can normalise and correlate data, but they are better suited to detecting clear cyber attacks. They are as well suited at profiling activity over or accurately detecting anomalies associated with lateral movement. As a result, their correlation rules raise too many alerts, and most of these alerts ultimately get ignored by Security Operations teams.

XDR agents, such as those used by the Security Operations Center are uniquely designed to quickly and accurately identify attackers as they move through the compromised network.

The XDR agent monitors the internal network traffic and endpoint events and profiles the normal patterns of internal, host-to-host, communication, application usage, file share usage, credential usage, administrative behaviour, executable and process prevalence, and more. They also can detect common credential theft tools like Mimikatz and hacking techniques like “pass-the-hash” and look for tell tale signs of compromise on systems such as lateral movement.

How Lateral Movement attacks happens

Lateral Movement attacks occur after a system or device within your digital world had been compromised.  That device or devices will have been compromised through an exposed vulnerability or via the attacker gaining credentials through credential stuffing, brute force, phishing or similar attack.

Threat actors may also compromise hosts by installing malicious code on network file shares or manipulating computer logon scripts. Cybersecurity teams can detect these techniques by looking for credential abuse and excessive failed logins. If multiple devices share the same credentials or if a single device logs in to network resources from distinct accounts in a short period of time, an attack may be in progress. If a normal user exhibits administrative behaviour, such as managing remote machines, the user’s machine might be compromised.

Attack Sources

Attacks will occur from already compromised systems within your digital world.