What is Lateral Movement?

Lateral movement is a technique that attackers use to move through a network after gaining initial access to a system. Instead of remaining on a single compromised device, attackers pivot to other computers, servers or cloud resources to expand their access, escalate privileges and reach sensitive data or critical infrastructure. This technique is commonly observed in advanced cyber attacks, including ransomware incidents and data breaches, because it enables attackers to increase the scope and impact of an intrusion.

Why do cybercriminals move laterally?

Cybercriminals rarely stop at the first system they compromise. Instead, they use that initial foothold to explore the broader environment and identify more valuable targets within the network. Through this exploration, attackers can better understand how systems are connected and where sensitive data is stored.

Access higher-value systems

Initial access is often gained through lower-value endpoints, such as employee workstations. From there, attackers move laterally to reach systems that store sensitive data, such as databases, file servers or financial systems. These systems often contain information that can be stolen, altered or used to disrupt business operations. By expanding beyond the original entry point, attackers increase the potential impact of a breach and gain access to more critical resources. Reaching higher-value systems also allows attackers to maintain persistence within the network and carry out malicious actions without being immediately detected.

Escalate privileges

Many systems restrict what a standard user account can access. To overcome these limitations, attackers attempt to gain higher levels of permission as they move through the network. This process may involve methods such as exploiting software vulnerabilities or stealing credentials. Privilege escalation allows attackers to take control of additional systems, access restricted data and operate with fewer constraints. With elevated privileges, attackers can bypass security measures, create new accounts or modify systems to strengthen their position within the environment.

Reach domain controllers or critical infrastructure

In enterprise environments, domain controllers and administrative systems play a central role in managing access and authentication. Attackers often target these systems to gain widespread control over the network. Because these systems manage user identities and permissions, compromising them can allow attackers to impersonate legitimate users and move more freely across the environment. At this level of access, attackers may be able to disrupt services or maintain long-term control over systems.

Deploy ransomware or exfiltrate data

When attackers are able to move laterally within a network, they are often approaching the final stage of their attack. After identifying valuable assets, attackers may deploy ransomware across multiple systems or exfiltrate sensitive data. Distributing ransomware across several systems at once can make recovery more difficult and increase pressure on organizations to pay a ransom. By moving laterally first, attackers can maximize disruption and increase the effectiveness of their attack.

Common stages of lateral movement

Lateral movement typically follows a structured progression as attackers expand their access within a network.

Initial compromise

The attack begins when a system is first compromised, which may occur through phishing, the exploitation of vulnerabilities or the use of stolen credentials. This initial foothold provides attackers with a starting point inside the network.

Internal reconnaissance

Once inside, attackers gather information about the environment. This includes mapping the network, identifying high-value systems and discovering user accounts and trust relationships. Information gathered during this step helps attackers determine where to move next and which systems are most valuable.

Credential access

Attackers attempt to obtain valid credentials that allow them to authenticate to other systems. This may involve credential dumping, password harvesting or token theft. Using legitimate credentials helps attackers blend into normal network traffic and avoid triggering security alerts.

Privilege escalation

After gaining access to additional accounts, attackers attempt to increase their level of access by exploiting misconfigurations or abusing service accounts. Higher privileges enable attackers to control more systems, access sensitive resources and perform actions that would normally be restricted.

Lateral pivoting

With elevated access, attackers move between systems within the network. This may include accessing file servers, entering Active Directory environments or reaching domain controllers. In some cases, attackers may also pivot into connected cloud or hybrid environments, extending the scope of the attack.

Objective execution

Once attackers reach their target, they carry out their objective. This may include data exfiltration, ransomware deployment or establishing persistence for continued access.

Common techniques used in lateral movement

Attackers use a variety of techniques to move between systems while minimizing detection:

Pass-the-hash: Attackers reuse stolen password hashes to authenticate to other systems without needing the original password. This technique is specific to environments using NTLM authentication and has limited effectiveness where Kerberos is strictly enforced.
Pass-the-ticket: Kerberos tickets are used to impersonate legitimate users and gain access to network resources.
Remote Desktop Protocol (RDP): Attackers use valid credentials to remotely access systems over RDP, a legitimate remote access protocol that is frequently targeted because it is widely enabled in enterprise environments.
Windows Management Instrumentation (WMI): Attackers use this built-in Windows tool to execute commands remotely across systems.
PowerShell remoting: This technique allows commands and scripts to be executed on remote machines.
SMB exploitation: Attackers leverage file-sharing protocols to move between systems.
SSH key theft and session hijacking: In Linux environments, attackers may steal SSH private keys to authenticate to other systems, or abuse SSH agent forwarding to hijack active sessions. These are distinct techniques that both exploit SSH trust relationships.
Living-off-the-Land Binaries (LOLBins): Legitimate system tools are used to carry out malicious activity while blending into normal operations.

Why lateral movement is difficult to detect

Lateral movement can be difficult to detect because attackers often rely on legitimate credentials and built-in administrative tools rather than on obvious malicious activity.

As a result, their actions may resemble those of normal users, such as logging into systems or accessing internal resources. This allows attackers to blend into regular network traffic and avoid triggering traditional security alerts.

While understanding how lateral movement works is important, organizations must also be able to detect lateral movement before attackers reach critical systems.

How to prevent lateral movement

Organizations can prevent lateral movement by limiting how easily attackers move between systems after an initial compromise. Effective lateral movement prevention focuses on reducing unnecessary access, controlling network communication and monitoring for suspicious activity.

Enforce least-privilege access

Enforcing least-privilege access is one of the most effective ways to prevent lateral movement. Each user and service account should only have the permissions required for their specific role. This ensures that if a single account is compromised, attackers cannot use it to access systems and resources beyond that account's scope. Organizations should regularly review and adjust these permissions to prevent access from gradually expanding over time.

Segment the network

Network segmentation limits lateral movement by dividing the network into isolated zones, ensuring that a breach in one area does not automatically grant access to others. Microsegmentation strengthens this approach by restricting traffic between individual systems to only the connections that are explicitly required. This forces attackers to overcome additional barriers at each stage, giving security teams more time to detect and respond to lateral movement attempts.

Strengthen authentication controls

Strong authentication controls reduce the risk of lateral movement by making stolen credentials less effective. Multi-Factor Authentication (MFA) adds a layer of verification that prevents attackers from accessing accounts using compromised passwords alone. Organizations should also eliminate shared or default credentials, which are common targets for attackers. For accounts with elevated privileges, a Privileged Access Management (PAM) solution provides additional protection by controlling when and how those accounts are used and ensuring access is revoked when it is no longer needed.

Monitor for anomalous behavior

Even with strong preventive controls in place, organizations need visibility into activity across their systems. Reviewing access logs and using behavioral analytics can help identify unusual patterns, such as an account connecting to systems it has not previously accessed or logging in at unexpected times. Detecting these indicators early allows organizations to contain lateral movement before attackers reach critical systems.

Audit and clean up accounts

Dormant accounts, particularly those associated with former employees or decommissioned services, are frequently targeted by attackers because they often go unmonitored. Conducting regular audits to identify and disable unused accounts removes these entry points. Organizations should also periodically review the permissions of active accounts to ensure they have not accumulated more access than is necessary for their role.