What is Lateral Movement? Definition & Examples

Lateral movement allows attackers to navigate networks undetected. Understand its significance and explore strategies to prevent it.
By SentinelOne August 1, 2022

Lateral movement refers to the techniques used by attackers to navigate through a network after an initial breach. This guide explores how lateral movement works, its implications for security, and strategies for detection and prevention.

Learn about the importance of network segmentation and monitoring in thwarting lateral movement. Understanding lateral movement is essential for organizations to enhance their cybersecurity defenses.

Lateral Movement Attacks are possible because cyberattacks rarely occur at the point of entry; this is just where a hacker gains access. Cybercriminals will often laterally work through a system, to access the most sensitive information. Unfortunately, too many users and companies don’t know how to upgrade their cybersecurity practices to stop these attacks.

A recent data report shows that many organizations have poor cybersecurity practices, making them vulnerable to data loss, malware infection, and other security threats. To keep up with the changing landscape of cybersecurity, it’s essential to understand all facets of a cyber-attack, including lateral movement attacks and other examples of this sort.

In this article, you’ll learn everything you need to know about lateral movement attacks, including how it works and how to detect and prevent them from infiltrating your systems.

What is Lateral Movement?

In cybersecurity, lateral movement refers to the movement of an attacker within a victim’s network. Lateral movement is typically done to extend the attack’s reach and find new systems or data that can be compromised. Lateral movement can occur at any stage of an attack but is most commonly seen during the post-compromise phase.

Lateral movement attacks usually follow a specific pattern:

  • The attacker gains initial access to a system through some type of exploitation, like phishing or malware (including fileless malware).
  • The attacker then uses that system to move laterally within the network, usually by exploiting vulnerabilities or using stolen credentials.
  • The attacker then uses the compromised system to access sensitive data or systems.

There are many different lateral movement techniques that attackers can use, but the common ones include:

  • Pass-the-hash: In this technique, an attacker steals the password hash from a system and then uses that hash to authenticate to other systems on the network.
  • Pass-the-ticket: The attacker steals a Kerberos ticket from a system and then uses that ticket to authenticate to other systems on the network, like active directories. Pass-The-Ticket attacks, such as a Golden Ticket attack or a Silver Ticket Attack, are powerful techniques adversaries employ for post-exploitation lateral movements and privilege escalation. Using these techniques, attackers can gain unlimited access to any endpoint on the network or service, potentially causing catastrophic consequences.
  • Exploiting vulnerabilities: An attacker exploits vulnerabilities in systems to gain access and then uses that access to move laterally within the network.
  • Using stolen credentials: The attacker steals valid credentials from a system and then uses those credentials to authenticate to other systems on the network.

Lateral movement techniques are often used in combination with each other in order to increase the chances of success. For example, an attacker might use pass-the-hash to gain initial access to a system and then use those credentials to authenticate to other systems on the network.

The UK’s National Cyber Security Centre notes that after cybercriminals have gained an initial foothold in a network, they look to expand and solidify that foothold while acquiring further control of valuable information or systems–which is what makes lateral movement so dangerous.

How Lateral Movement Works: The Stages of the Attack

One thing to know about cyberattacks is that they follow a well-defined process or what is known as the “kill chain.” A cyber kill chain is a methodology cybercriminals use to execute cyber-attacks. It’s a linear model that outlines an attacker’s steps from identifying a target to successfully exfiltrating its data.

When it comes to lateral movement attacks, there are several stages in the kill chain that attackers use:

Reconnaissance

This is the first stage of the lateral movement attack and is also the most important because it sets the stage for the rest of the attack. During this phase, attackers gather as much information about their target as possible.

This includes collecting data about the network infrastructure, users, and systems. They use tools like Google dorks, social media, and other open-source intelligence (OSINT) techniques to collect data about their target.

A reconnaissance stage will also include:

  • Identifying prospective targets.
  • Discovering their vulnerabilities.
  • Finding which third parties are linked to them (and what useful information they can access).
  • Exploring existent entry points (and finding new ones).

Also, reconnaissance can happen online and offline.

Stealing of Credentials

Often called “Credential dumping,” this step occurs after reconnaissance allows the cybercriminals to discover all essential information about potential targets. Here, the attacker solidifies their presence, maintains persistent threats, obtains credentialed information through fraudulent means, and compromises additional hosts to escalate their privileges.

Ultimately, the attackers gain control of their targets (such as a domain controller, an important system, or sensitive data). They steal credentials that give them what appears to be legitimate access to more host naming conventions and servers. After achieving these objectives, the data can be exfiltrated, and devices become sabotaged.

Lateral Movement Access

At this stage, attackers use the credentials they acquired in the previous stage to move laterally across systems and expand their foothold in the network. They do this by accessing other systems and devices on the network using tools like Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), and Server Message Block (SMB).

These tools allow attackers to move laterally across devices and systems on the network without re-authenticating and give them unlimited access to sensitive data and systems.

Detection & Interception

This is the final stage of the lateral movement kill chain–and the one that’s most important to protect you or your clients’ data. Once cyberattackers have accessed your systems, detecting and stopping them can be nearly impossible.

SentinelOne can end all lateral movement attacks by protecting your network through AI and automation at every stage of the lifecycle threat. As the first and only XDR vendor to participate and lead the ATT&CK Deception Evaluation, their Singularity XDR platform demonstrates the most powerful, autonomous XDR platform, reducing the enterprise attack surface across human, device, and cloud attack surfaces.

Singularity XDR provides an effective combination of prevention, protection, detection, and deception capabilities to stop attackers early, whether attempting to establish a beachhead inside the network or compromising identity data to move laterally, escalate privileges, and acquire targets. Get a Demo of SentinelOne.

Why do Attackers Use the Lateral Movement Technique

Lateral movement can also be attributed to two main causes: a live attacker traversing a network, or malicious code with automatic spreading abilities, such as a worm. The techniques to perform lateral movements can include utilizing exploits such as the EternalBlue SMB exploit, remote desktop protocols, harvested credentials with tools/interfaces like Powershell and WMI, and executing code on a remote machine.

Given that most of the above techniques are fileless methods, most traditional security controls have a hard time identifying an attacker or a piece of code moving within a network. The stealthy nature of these attacks make them highly efficient and lucrative for the attacker and allows mass infections. To prevent lateral movement attacks, it’s essential to understand why attackers use the lateral movement technique.

Easier to Evade Detection

On average, a phishing attack takes 213 days to detect and 80 days to contain. Two hundred and thirteen days is a lifetime in lateral movement attacks, providing the attacker ample time to move laterally, establish persistence, conduct reconnaissance, and gain credentials.

And because it seems as though a legitimate user is moving laterally across the network or cloud,  the security and network monitoring tools will fail to detect an attack.

This means that even if the original device was determined to be infected, the attacker could already have moved throughout the network and remain invisible inside the target for an extended period while looking for the best chance to escalate the attack. This takes us to:

Time to Learn Vulnerabilities

The attacker can learn about the vulnerabilities of different systems by moving laterally and observing how each system works. And, they can do this for weeks or months before they conduct their final attack.

Opportunity for Privilege Escalation

Another reason attackers use the lateral movement technique is to gain elevated privileges for a network instead of trying to breach that network from the outside. Using legitimate credentials will enable attackers to quickly escalate their privileges on a network and control sensitive data and systems.

How to Detect & Prevent Security Threats That Use Lateral Movement

Lateral movement attacks are difficult to detect and prevent because they use legitimate credentials and tools that keep cybercriminals undetected for a long time. However, there are some best cybersecurity practices that you can follow to reduce the risk of lateral movement attacks. They include:

Gauge the Attack Surface Awareness

The first thing is to understand what systems and devices are on your network. This will help to build a wall around what needs to be protected. Here, your cybersecurity attention should shift from perimeter protection to in-network detection.

For this to work, you must know about things like exposed credentials/information, misconfigurations, potential attack paths, and other vulnerabilities. It is important to use Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) tools to provide visibility into attacks on endpoints and expand upon those capabilities.

SentinelOne’s Singularity™ Platform helps security professionals proactively resolve modern threats at machine speed. Singularity makes the future vision of autonomous, AI-driven cybersecurity today’s reality by helping your SOC more effectively manage risk across user endpoints, hybrid cloud workloads, IoT, and more.

Investigate Permissions and Identities

The second practice is investigating and understanding permissions and identities on your network. This will help to determine what legitimate users are supposed to be doing–and what they’re not.

Here, you must understand what systems each user has access to and what they are allowed to do with those systems. You can create a Zero Trust Architecture (ZTA) to deal with this challenge by providing identities with only the necessary access level they need to operate and validate their identities.

The main message behind the design can be summed up through the phrase “never trust, always verify.” Put simply, a zero trust design approach is a strategic initiative that assumes there are attackers within and outside of a network, in a sense, eliminating all “trust” from an organization’s network architecture.

Measure Anomalies and Detection Accuracies

At this stage, you must measure your security tools’ detection accuracies and ensure they work as expected. For instance, a user who usually accesses files from one location is now accessing them from another. This could be a sign that the user’s credentials have been compromised, and someone is trying to use them to move laterally on the network.

You can use detection technologies with AI/ML capabilities to help you detect and prevent lateral movement attacks. These technologies can be used to monitor user behavior and identify anomalies that could be indicative of lateral movement.

The best way to identify lateral movement and other cyber threat issues is to adopt a trusted cybersecurity process that benefits every organization member. SentinelOne’s Lateral Movement Detection engine utilizes the platform’s low level monitoring to gain visibility into all machine operations, including the above script language and protocols.

It’s able to detect and mitigate lateral movement attacks in real-time by building execution context in real time and applying Behavioral AI to identify the anomalies in usage of these various techniques to move around in the network, preventing the spread of malware or a “roaming” attacker. You can see how it works here:

Utilize Effective Automation and orchestration

Lastly, you must automate and orchestrate your responses to lateral movement attacks. This will help to speed up your response time and reduce the chances of a successful attack.

You can use security orchestration, automation, and response (SOAR) platforms to help you with this. These automation platforms will accelerate and simplify incident response by addressing detected threats and stopping them from escalating through the network.

Read here about SentinelOne’s success in the MITRE Engenuity ATT&CK® Deception Evaluation.

Lateral Movement Protection with SentinelOne

Lateral movement attacks remain a significant issue as cybercriminals have become more sophisticated. Gone are the days of simple exploits. Large organizations now worry about carefully planned Advanced Persistent Threats (APT) attacks–including lateral movements attacks and many more.

The type of detection and visibility offered by the SentinelOne Lateral Movement Detection is far superior to every other EDR tool and is integrated holistically for automated operation into our 2.0 platform–no configuration needed.

SentinelOne is the world’s leading next-generation endpoint security platform. It has been purpose-built to stop threats at every stage of an attack lifecycle. The platform provides comprehensive visibility, protection, and response capabilities in a single agent/console architecture. It proactively protects your business from lateral movement attacks. You can see for yourself by scheduling a demo today.

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform harnesses the power of data and AI to protect your organization now and into the future.