What Is Lateral Movement?
Lateral movement is a set of techniques cybercriminals use to access other devices, apps, or assets on a network after they first compromise an endpoint. Using stolen login credentials or other methods of privilege escalation, threat actors move through the network as they close in on sensitive data. With their activities disguised as permitted network traffic, attackers can avoid detection and prolong their attacks.
How Does Lateral Movement Happen?
A threat actor can perform lateral movement after compromising an endpoint connected to a network that lacks adequate access controls. They might achieve this through credential abuse, exploiting a vulnerability in a server or application, leveraging malware to create a backdoor, and various other methods. Many conventional network security measures won’t detect malicious activity because it appears to be coming from legitimate users.
Let’s take a simplified look at how lateral movement plays out.
Stages of Lateral Movement
A lateral movement attack occurs in three main steps:
- Reconnaissance: The threat actor explores the network. As they develop understanding of naming conventions and network hierarchies, identify open firewall ports, and pinpoint other weaknesses, the actor can formulate a plan for getting deeper inside the network.
- Infiltration: Using login credentials often obtained through phishing attacks or other social engineering, the actor employs credential dumping and privilege escalation techniques to gain access to different parts of the system.
- Access: Once the actor locates the target system or data, they can begin their attack in earnest—delivering a malware payload, exfiltrating or destroying data, or various other possible ends.
For a more detailed look at two well-known attack life cycle models, read Understanding Attack Progression.
What Types of Attacks Use Lateral Movement?
Most types of attacks include, or can include, lateral movement techniques, including ransomware attacks and other malware, phishing, and others. Once they have established a foothold in a network, attackers can use that position as a base from which to conduct further attacks.
Using techniques such as hijacking and spear phishing, attackers can move across the network as if they were a legitimate user without alerting conventional cybersecurity measures to their presence.
Examples of Lateral Movement in Cyberattacks
Lateral movement isn’t one technique, but rather a strategic element of an attack that can take many shapes depending on the attacker’s needs. Common lateral movement attack tactics include:
- Pass the hash (PtH): Rather than using a plaintext password for authentication, an attacker inputs a stolen password hash—the same encrypted string stored in the authenticator—and is granted access.
- Pass the ticket (PtT): An attacker uses stolen tickets from the default Windows authentication protocol, Kerberos, to authenticate without needing to know the user’s password.
- Exploitation of remote services: Once inside a system, an attacker can take advantage of vulnerabilities or misconfigured permissions in connected remote services to gain access to other parts of the network.
- Internal spear phishing: An attacker who already has access to a legitimate user’s account can use spear phishing attacks to obtain shared credentials, access codes, and the like from targets who think they know who they’re talking to.
- SSH hijacking: Attackers can hijack connections made through Secure Shell (SSH), a common remote access protocol in macOS and Linux, to bypass authentication and gain access to another system through the encrypted SSH tunnel.
- Windows admin shares: Most Windows systems enable admin shares by default. A threat actor who gains administrative access can use admin shares to quickly move laterally by exploiting their permissions to manage and access other hosts.
What Are the Security Challenges of Lateral Movement?
In a network topology that allows unconstrained lateral movement, an attack can quickly move from host to host, often without tripping any alarms. Some malware does this far too quickly for any security team to contain—especially if you’re relying on security measures that only alert you after the fact.
The rise of hybrid and remote work has created problems of its own. Users connect from all manner of endpoints, which may all have unique security controls. Each of these can represent a potential vulnerability, another attack vector for attackers to use.
Most dangerous, though, is the risk of advanced persistent threats (APTs). A skilled attacker can persist in your network unseen for months, accessing privileged information and exfiltrating data.
Steps for Preventing and Detecting Lateral Movement
Fighting back against lateral movement is a two-part exercise.
Prevent Lateral Movement in Real Time
On the one hand, you need to stop lateral movement before it happens. To do that:
- Use effective, modern endpoint security. Hybrid work is here to stay, and to keep workers secure and productive, you need endpoint and mobility solutions that enable end-to-end zero trust access control, threat detection, and response across a wide variety of devices.
- Protect high-value targets. Compromising an account with administrative privileges gives an attacker access to your most valuable and sensitive data. Protect these accounts with the highest levels of security, and reserve their use for only the tasks that require the highest privileges.
- Implement microsegmentation. Microsegmentation creates secure zones that allow you to isolate workloads from one another and secure them individually. Granular segments can be tailored to the needs of different traffic, creating controls that limit network and application flows between workloads to those that are explicitly permitted.
- Maintain a security-first zero trust approach. Everyone at your organization—not just IT or a small security team—should take responsibility for security. Ensuring all staff understand and adhere to common security protocols, and taking a zero trust approach to security, will reduce your risk of cyberattacks more than anything else.
Detect Lateral Movement
On the other hand, when attackers do get through, you need to be able to stop them in their tracks. For that, you need to:
- Monitor login activity. Keeping a close eye on authentication traffic may allow you to detect direct compromises and credential theft before attackers can do damage.
- Run behavior analytics. Machine learning-powered analysis can establish a baseline of normal user behavior and flag deviations that could signify a cyberattack.
- Use deception technology. Realistic decoy assets deployed in your network act as lures for cybercriminals. Unable to differentiate the fake from the real, attackers raise a silent alarm the moment they interact with a decoy.
- Employ threat hunting: Identifying previously unknown or ongoing threats in your network with proactive expert threat hunting—through a managed service, for most organizations—is a powerful defense against advanced, stealthy attacks.
Prevent and Control Lateral Movement with Zero Trust
Taking advantage of trust—not just the sort conferred by authentication, but also the sort conferred by human nature—is one of the oldest tricks attackers know. It persists today as one of the most effective ways they can position themselves to move laterally in your environment. To deny them that opportunity, you need to take trust out of the equation.
A zero trust architecture enforces access policies based on context—including the user's role and location, their device, and the data they are requesting—to block inappropriate access and lateral movement throughout your environment.
Zero trust requires visibility and control over your environment's users and traffic, including that which is encrypted; monitoring and verification of traffic between parts of the environment; and strong multifactor authentication (MFA) methods beyond passwords.
Critically, in a zero trust architecture, a resource's network location isn't the biggest factor in its security posture anymore. Instead of rigid network segmentation, your data, workflows, services, and such are protected by software-defined microsegmentation, enabling you to keep them secure anywhere.
Prevent Lateral Movement with Zscaler
Legacy network security solutions, like traditional firewalls and VPNs, are the problem. They create a massive attack surface that threat actors can easily see and exploit to get inside your environment. Worse, they put users directly on your network, giving bad actors easy access to sensitive data.
- Peerless security, beyond legacy VPNs and firewalls: Users connect directly to apps—not the network—minimizing the attack surface and eliminating lateral movement.
- The end of private app compromise: First-of-its-kind app protection, with inline prevention, deception, and threat isolation, minimizes the risk of compromised users.
- Superior productivity for today's hybrid workforce: Lightning-fast access to private apps extends seamlessly across remote users, HQ, branch offices, and third-party partners.
- Unified ZTNA platform for users, workloads, and IoT/OT: Securely connect to private apps, services, and OT/IoT devices with the industry’s most comprehensive ZTNA platform.
Zscaler Private Access applies the principles of least privilege to give users secure, direct connectivity to private applications while eliminating unauthorized access and lateral movement. A cloud native service, ZPA can be deployed in hours to replace legacy VPNs and remote access tools with a holistic zero trust platform.