What Is Lateral Movement?

A common cybersecurity threat, “lateral movement” refers to the process of exploring an infected network for potential vulnerabilities to exploit.

Lateral movement comes after the discovery phase of a hacker or threat actor’s cyberattack journey. In the lateral movement phase, the adversary has already gained access to a target network — but not yet reached their intended target.

The goal of lateral movement is to discover vulnerable assets and processes that can help the adversary to:

• Acquire escalated access privileges to the system.
• Deliver a malicious payload to a target server, reachable only with certain access rights.

Let’s take a deep dive into this nefarious activity.

The lateral movement threat today

Of the many tactics, techniques, and procedures (TTPs) that adversaries can use, lateral movement is very common. In fact, research finds lateral movement happens in approximately 25% — a quarter! — of all cyberattacks.

This highlights a stark image of the state of cybersecurity, particularly in the enterprise IT segment. It appears that a majority of threat vectors involve both social engineering and a human element that is capable of network intrusion. Malicious actors may exploit human vulnerabilities: lacking enough security awareness, unintentionally falling prey to social engineering attacks, or both.

This entry point opens the path to lateral movement in many ways.

Lateral movement phases

The idea behind lateral movement is simple: access a network, discover the inner workings of its authorization controls and processes, then inject a malicious payload to acquire elevated access privileges to further compromise the target systems.

These are summarized in three stages of the cyberattack kill chain:

• Step 1. Reconnaissance: Malicious actors observe the inner workings of the network. This includes how users access information and the processes established to enforce access controls.
• Step 2. Escalating their privileges: The adversary uses social engineering techniques to trick users into sharing sensitive information, such as login credentials from a higher tier user account.
• Step 3. Gaining access: Finally, the adversary compromises target hosts while keeping under the radar. At this point, the threat actors have already bypassed the access controls — but proper security measures may prevent them from exfiltrating data. Cybercriminals may employ botnets and ransomware techniques to compromise target networks, which may render traditional security measures ineffective against the threats originating from the internal network.

Cyber Kill Chain^®, Lockheed Martin (Image source)

Lateral movement techniques & examples

The most common approach is an extension of the social engineering ploy: in the form of an internal spear phishing attack. Consider the case where the threat actors have already compromised a user account. They could, in this order:

1. Impersonate a legitimate employee via internal email, messaging, and other tools.
2. Talk their way to other employees/system users with elevated access.
3. Convince those users to click on a malicious link, which downloads the payload to servers with higher access control restrictions.

In the age of Artificial Intelligence, this can be achieved in creative ways. In May 2024, malicious actors posed as a chief financial officer (CFO) of a British engineering firm by means of an AI deepfake. The outcome? They stole $25 million.

Other common attack vectors include:

• SSH hijacking
• Remote service exploitation
• Pass the Hash (PtH) attacks
• Pass the Ticket (PtT) attacks

These attacks require access to sensitive information such as:

• Configuration files
• Algorithms
• User credentials
• Authentication protocols, such as Kerberos

How to defend against lateral movement attacks

So, how can you defend against lateral movement attacks? In most cases, the standard cybersecurity controls and best practices can help your organization protect against activities the lateral movement discovery and execution phase.

Consider the following security strategies:

Train & build awareness against social engineering

Since the lateral movement appears at a later stage of the cyber kill chain, the good news is that business organizations can equip their users to defend against lateral movement attacks before they begin.

Empower them with the knowledge and discipline to avoid spear phishing attacks:

• Do not click links or run files that appear malicious.
• Use strong login credentials.
• Err on the side of caution — even when communicating with colleagues.

Intrusion detection and prevention techniques

Segment and isolate sensitive network locations and protect them with elevated access controls.

Employ deception techniques to lure malicious threat actors. Honeypots can be deployed as fake assets and potential targets for actors engaging in lateral movement activities. Trigger alerts when a user attempts to exploit them and automate control actions against the compromised user accounts.

(Related reading: intrusion detection systems & intrusion prevention systems.)

Behavioral analytics and access patterns

It may be possible that malicious actors hide behind legitimate computing requests. By analyzing user access patterns based on contextual information — such as the past activities of the user and relevant environment variables — you can assign a threat score to computing requests that may appear legitimate.

For example, a compromised user account may be used to exfiltrate just enough data to remain undetected by an intrusion detection and prevention system, but the actual actions may be highly irregular for the particular user account in question.

Therefore, it is important to establish monitoring and observability for real-time and proactive detection.

Zero trust security measures

No cybersecurity tool is 100% secure: that’s impossible. Vulnerabilities and zero-day exploits can render sophisticated security measures ineffective against lateral movement attacks.

However, you can employ a strict zero trust security strategy that allows, for every user, only the bare minimum access privileges required to perform their assigned job tasks. This is also called the principle of least privilege and is a part of an extensive zero-trust security policy that assigns the same principles to users, technologies and processes.

Detect & prevent lateral movement with Splunk

Splunk is a leader in both observability and cybersecurity, with our unified platform. Learn more and explore Splunk solutions.

Already use Splunk solutions? These resources will certainly help:

• Splunk Security Content: The Active Directory Lateral Movement Analytic Story
• Detecting Lateral Movement with Splunk: How To Spot the Signs, part of our Threat Hunting with Splunk series
• Using Splunk User Behavior Analytics (UBA) To Detect Lateral Movement