Home Think Topics Lateral movement What is lateral movement?
Explore IBM's lateral movement attack solution Subscribe to security topic updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark

Published: 17 June 2024
Contributors: Gregg Lindemulder, Amber Forrest

What is lateral movement?

Lateral movement is a tactic that cybercriminals use to advance deeper into an organization’s network after gaining unauthorized access. During lateral movement, threat actors might deploy malware, compromise user accounts and evade security controls to seek out high-value targets such as sensitive data or intellectual property.

Lateral movement isn't a feature of every cyberattack, but it can be one of the most damaging cybersecurity threats. This is because lateral movement relies on user credential theft to reach progressively deeper inside a breached network. This type of breach requires a more complex incident response by security teams and typically has a longer response lifecycle than any other infection vector.

Cost of a Data Breach Report

Get essential insights to help your security and IT teams better manage risk and limit potential losses.

How lateral movement works

Broadly speaking, lateral movement attacks have two parts: an initial breach followed by internal movement. Hackers must first gain access to a network by evading endpoint security. They might use phishing attacks or malware to compromise a device or an application, or gain initial access through an open server port. After the attackers are inside, they can begin branching out to other areas of the network through these stages of lateral movement:

After they have gained a foothold, attackers map out the network and plan a route to their goal. They look for information on network hierarchies, operating systems, user accounts, devices, databases and apps to understand how these assets are connected. They might also scope out network security controls, then use what they learn to dodge security teams.

Privilege escalation
When hackers understand the network layout, they can use a variety of lateral movement techniques to reach more devices and accounts. By infiltrating more resources, hackers don't just get closer to their goal—they also make it harder to remove them. Even if security operations remove them from one or two machines, they still have access to other assets.

As hackers move laterally, they try to capture assets and accounts with higher and higher privileges. This act is called "privilege escalation." The more privileges that attackers have, the more they can do within the network. Ultimately, hackers aim to obtain administrative privileges, which allow them to go practically anywhere and do virtually anything.

Reaching the target
Hackers combine and repeat lateral movement techniques as needed until they reach their target. Often, they seek sensitive information to collect, encrypt and compress for data exfiltration to an external server. Or they might want to sabotage the network by deleting data or infecting critical systems with malware. Depending upon their ultimate goal, hackers might maintain backdoors and remote access points for as long as possible to maximize damage.

Lateral movement techniques

Credential dumping: Hackers will steal the usernames and passwords of legitimate users, then “dump” these credentials onto their own machines. They might also steal the credentials of admins who have recently logged in to the device. 

Pass the hash attacks: Some systems transform or “hash” passwords into illegible data before transmitting and storing them. Hackers can steal these password hashes and use them to trick authentication protocols into granting permissions for protected systems and services. 

Pass the ticket: Hackers use a stolen Kerberos ticket to gain access to devices and services on the network. (Kerberos is the default authentication protocol used in Microsoft Active Directory.)

Brute force attacks: Hackers break into an account by using scripts or bots to generate and test potential passwords until one works.

Social engineering: Hackers can use a compromised employee email account to launch phishing attacks designed to harvest the login credentials of privileged accounts.

Hijacking shared resources: Hackers can spread malware through shared resources, databases and file systems. For example, they might hijack Secure Shell (SSH) capabilities that connect systems across macOS and Linux operating systems.

PowerShell attacks: Hackers can use the Windows command line interface (CLI) and scripting tool PowerShell to change configurations, steal passwords or run malicious scripts.

Living off the land: Hackers can rely on internal assets that they have compromised rather than external malware in later stages of lateral movement. This approach makes their activities appear legitimate and makes them more difficult to detect.

Cyberattacks that use lateral movement

Advanced persistent threats (APT): Lateral movement is a fundamental strategy for APT attack groups, whose aim is to infiltrate, explore and expand their access across a network for an extended period of time. They often use lateral movement to remain undetected while conducting multiple cyberattacks for months or even years.

Cyber espionage: Because the nature of cyber espionage is to locate and monitor sensitive data or processes, lateral movement is a key capability for cyber spies. Nation-states often hire sophisticated cybercriminals for their ability to move freely inside a target network and perform reconnaissance on protected assets without being detected.

Ransomware: Ransomware attackers conduct lateral movement to access and gain control over many different systems, domains, applications and devices. The more they can capture, and the more critical those assets are to an organization’s operations, the greater the leverage they have when demanding payment for their return.

Botnet infection: As lateral movement progresses, hackers gain control over more and more devices across a breached network. They can connect these devices to create a robot network or botnet. A successful botnet infection can be used to launch other cyberattacks, distribute spam email or scam a broad group of target users.

Detecting lateral movement

Because lateral movement can rapidly escalate across a network, early detection is critical for mitigating damage and losses. Security experts recommend taking actions that help distinguish normal network processes from suspicious activities, such as:

Analyze user behavior: Unusually high volumes of user log-ons, log-ons that take place late at night, users accessing unexpected devices or applications, or a surge in failed log-ons can all be signs of lateral movement. Behavioral analytics with machine learning can identify and alert security teams of abnormal user behavior.

Protect endpoints: Vulnerable network-connected devices such as personal workstations, smartphones, tablets and servers are the primary targets of cyber threats. Security solutions such as endpoint detection and response (EDR) and web application firewalls are critical for monitoring endpoints and preventing network breaches in real time.

Create network partitions: Network segmentation can help stop lateral movement. Requiring separate access protocols for different areas of a network limits a hacker’s ability to branch out. It also makes it easier to detect unusual network traffic.

Monitor data transfers: A sudden acceleration of database operations or massive transfers of data to an unusual location could signal that lateral movement is underway. Tools that monitor and analyze event logs from data sources, such as security information and event management (SIEM) or network detection and response (NDR), can help identify suspicious data transfer patterns.

Use multi-factor authentication (MFA): If hackers are successful in stealing user credentials, multi-factor authentication can help prevent a breach by adding another layer of security. With MFA, stolen passwords alone will not provide access to protected systems.

Investigate potential threats: Automated security systems can provide false positives while missing previously unknown or non-remediated cyber threats. Manual threat hunting informed by the latest threat intelligence can help organizations investigate and prepare an effective incident response for potential threats.

Be proactive: Patching and updating software, enforcing least privilege system access, training employees on security measures, and penetration testing can help prevent lateral movement. It's vital to continually address vulnerabilities that create opportunities for hackers.

Related solutions
X-Force Red® vulnerability management services

Identify, prioritize and manage the remediation of flaws that could expose your most-critical assets.

Explore X-Force Red vulnerability management services

IBM Security® Verify (SaaS)

Add deep context, intelligence and security to user access of your data and applications.

Explore IBM Security Verify (SaaS)

Mobile threat defense (MTD) solutions

Protect users, mobile devices, apps, networks and data against cyberthreats.

Explore mobile threat defense (MTD) solutions
Resources X-Force® Threat Intelligence Index

Learn from the challenges and successes of security teams around the world, based on insights and observations obtained from monitoring over 150 billion security events per day in more than 130 countries.

What is a threat actor?

Threat actors are individuals or groups that intentionally cause harm to digital devices or systems.

What are advanced persistent threats?

Advanced persistent threats (APT) are undetected cyberattacks designed to steal sensitive data, conduct cyber espionage or sabotage critical systems over a long period of time.

Take the next step

IBM Security Verify is a leading IAM platform that provides AI-powered capabilities for managing your workforce and customer needs. Unify identity silos, reduce the risk of identity-based attacks and provide modern authentication, including passwordless capabilities.

Explore Verify Try Verify for 90 days