Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Lateral Movement: When Cyber Attacks Go Sideways

Lateral Movement Gives Attackers Additional Points of Control in a Compromised Network

Lateral Movement Gives Attackers Additional Points of Control in a Compromised Network

Finding and stopping cyber attacks has become a key priority for everyone from the C-suite all the way to the frontline security and network administrator. Organizations are learning the hard way that preventative controls will never be 100% perfect, and today’s security teams are increasingly judged on their ability to keep a network intrusion from turning into data loss.

As a result, the ability to quickly and reliably detect lateral movement in the network is one of the most important emerging skills in information security today. Lateral movement refers to the various techniques attackers use to progressively spread through a network as they search for key assets and data.

In many ways, the lateral movement attack phase represents the biggest difference between today’s strategic, targeted attacks and the simplistic smash-and-grab attacks of the past. Let’s take a deeper look at lateral movement and how to use this information in your daily security practice.

Data Center NetworkCutting through the noise

Modern networks are typically inundated with security events, and it’s easy to burn through your day chasing down policy violations, investigating anomalies, or analyzing an executable that turns out to be adware.

However, the presence of lateral movement should quickly move to the top of the priority list because it is a clear indicator of a threat that is attempting to extend its reach into the network.

In most cases, attackers must move from device to device and gain access privileges to get to the high-value data inside the network. In addition to digging deeper into the network, lateral movement gives attackers additional points of control in a compromised network.

These fallback positions allow attackers to maintain persistence if they are discovered on an initially infected machine. This makes lateral movement highly strategic to an attacker, and one of the clearest differentiators between a targeted attack and a commodity threat.

Taking the defensive high ground

While lateral movement is strategic to attackers, there are important advantages for the defenders as well. For example, lateral movement is one of the phases in which attackers do not control both ends of the connection. When attackers control both ends of a connection, such as with command-and-control or exfiltration traffic, they have an incredible amount of flexibility and ways to hide their traffic.

But lateral movement puts attackers in a more traditional position of having an attacking node and a target. This one-sided approach forces attackers to reveal themselves, and provides a great opportunity for security to detect the threat.

Of course, this requires security teams to look in the right places and for the right things. Lateral movement may involve straightforward attacks where cybercriminals scan for vulnerable hosts to exploit.

Furthermore, attackers can pivot between compromised hosts to bounce deeper into the network. This process of performing internal reconnaissance and passing payloads to successive hosts is often a clear indicator of lateral movement in the network.

The human element

When thinking of intrusions and APTs, it is easy to focus on malware. Nonetheless, as attacks become more advanced, they almost always contain a strong human element, and this is especially true in the case of lateral movement.

For all of the abuse dished out to the antivirus industry over the years, modern AV products are actually quite adept at recognizing the automated spreading of traditional malware, such as worms.

Furthermore, strategic attacks typically have a creative human at the helm of an attack to properly (and quietly) navigate the internal network to find the truly valuable data. This means attackers need real-time remote control over network devices to make lateral movement successful.

This can take the form of remote desktop tools, or the more specialized remote administration tools (RATs), that give fine-grained attack control. As a result, security professionals should keep a very close eye on the behavioral nature of their traffic.

The behavior of a external person controlling an internal is something that network traffic analysis tools can quickly recognize, and this behavior tied to any sort of internal reconnaissance or suspicious behavior should be an immediate red flag.

Additionally, lateral movement actions often eschew malware in favor of stealing or reusing a valid user’s credentials. Needless to say, impersonating a valid user gives attackers a quieter and subtler way to spread through a network than directly exploiting multiple machines.

As a result, it’s critically important for security professionals to build up the internal network intelligence that can recognize the tell-tale signs when credentials are abused or abnormally used.

Lateral movement will continue to be of strategic importance to the overall success of attacks. And as attackers get better at low-and-slow intrusions, their lateral movement skills will evolve and improve over time.

Consequently, the detection of these malicious techniques will provide highly valuable ways to identify the highest-risk threats, and create ample opportunities to disrupt attacks before assets are damaged or stolen.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...