Lateral movement is how attackers spread across multiple parts of a network.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
In network security, lateral movement is the process by which attackers spread from an entry point to the rest of the network. There are many methods by which they can achieve this. For instance, an attack could start with malware on an employee's desktop computer. From there, the attacker attempts to move laterally to infect other computers on the network, to infect internal servers, and so on until they reach their final target.
Attackers aim to move laterally undetected. But even if an infection is discovered on the initial device, or if their activities are detected, the attacker can maintain their presence within the network if they have infected a wide range of devices.
Imagine a group of burglars who enter a house through an open window, then each go to a different room in the house. Even if a single burglar is discovered in one room, the others can continue stealing items. Similarly, lateral movement enables an attacker to enter the various "rooms" of a network — servers, endpoints, application access — making the attack difficult to contain.
While some aspects of it may be automated, lateral movement is often a manual process directed by an attacker or group of attackers. This hands-on approach enables attackers to tailor their methods to the network in question. It also allows them to respond quickly to security countermeasures applied by network and security administrators.
Lateral movement starts with an initial entry point into the network. This entry point could be a malware-infected machine that connects to the network, a stolen set of user credentials (username and password), a vulnerability exploit via a server's open port, or a number of other attack methods.
Typically, the attacker establishes a connection between the entry point and their command-and-control (C&C) server. Their C&C server issues commands to any installed malware and stores collected data from malware-infected or remotely controlled devices.
Once the attacker has a foothold on a device inside the network, they perform reconnaissance. They find out as much as they can about the network, including what the compromised device has access to and, if they have compromised a user's account, what privileges the user has.
The next step for the attacker to begin moving laterally is a process called "privilege escalation."
Privilege escalation is when a user (whether legitimate or illegitimate) gains more privileges than they should have. Privilege escalation sometimes occurs accidentally in identity and access management (IAM) when user privileges are not tracked and assigned correctly. By contrast, attackers purposefully exploit flaws in systems to escalate their privileges on a network.
If they entered a network through a vulnerability or malware infection, attackers may use a keylogger (which tracks the keys users type) to steal user credentials. Or they may have entered a network initially through stealing credentials in a phishing attack. However they get it, attackers start with one set of credentials and the privileges associated with that user account. They aim to maximize what they can do with that account, then they spread to other machines and use credential theft tools to take over other accounts as they go.
To get the kind of access needed to cause maximum damage or reach their target, the attacker usually needs administrator-level privileges. They therefore move laterally through the network until they acquire administrator credentials. Once these credentials are obtained, this essentially gives them control over the entire network.
Throughout the process of moving laterally, the attacker is likely paying close attention to countermeasures from the organization's security team. For example, if the organization discovers a malware infection on a server and cuts that server off from the rest of the network to quarantine the infection, the attacker may wait for some time before performing further actions so that their presence is not detected on additional devices.
Attackers may install backdoors to ensure they can re-enter the network if their presence is detected and successfully removed from all endpoints and servers. (A backdoor is a secret way into an otherwise secure system.)
Attackers also attempt to blend in their activities with normal network traffic, since unusual network traffic may alert administrators to their presence. Blending in becomes easier as they compromise additional legitimate user accounts.
Many categories of attacks rely on lateral movement to either reach as many devices as possible or to travel throughout the network until a specific goal is reached. Some of these attack types include:
These preventative measures can make lateral movement much more difficult for attackers:
Penetration testing can help organizations close up vulnerable parts of the network that could allow lateral movement. In penetration testing, an organization hires an ethical hacker to stress-test their security by trying to penetrate as deep into the network as possible while remaining undetected. The hacker then shares their findings with the organization, which can use this information to fix the security holes that the hacker exploited.
Zero Trust security is a network security philosophy that does not trust any user, device, or connection by default. A Zero Trust network assumes that all users and devices present a threat and continually re-authenticates both users and devices. Zero Trust also uses a least-privilege approach to access control and divides networks into small segments. These strategies make privilege escalation much more difficult for attackers and make detecting and quarantining the initial infection much easier for security administrators.
Endpoint security involves scanning endpoint devices (desktop computers, laptops, smartphones, etc.) regularly with anti-malware software, among other security technologies.
IAM is a crucial component of preventing lateral movement. User privileges have to be closely managed: if users have more privileges than they strictly need, the consequences of an account takeover become more serious. Additionally, using two-factor authentication (2FA) can help stop lateral movement. In a system that uses 2FA, obtaining user credentials is not enough for an attacker to compromise an account; the attacker needs to steal the secondary authentication token as well, which is far more difficult.
Cloudflare One combines networking services with Zero Trust security services. It integrates with identity management and endpoint security solutions in order to replace a patchwork of security products with a single platform that prevents lateral movement and other attacks. Learn more about Cloudflare One and other network security solutions.