What is lateral movement?

Lateral movement is how attackers spread across multiple parts of a network.

Learning Objectives

After reading this article you will be able to:

  • Define lateral movement
  • Describe how lateral movement occurs
  • List preventative measures to slow or halt lateral movement

Copy article link

What is lateral movement?

In network security, lateral movement is the process by which attackers spread from an entry point to the rest of the network. There are many methods by which they can achieve this. For instance, an attack could start with malware on an employee's desktop computer. From there, the attacker attempts to move laterally to infect other computers on the network, to infect internal servers, and so on until they reach their final target.

Attackers aim to move laterally undetected. But even if an infection is discovered on the initial device, or if their activities are detected, the attacker can maintain their presence within the network if they have infected a wide range of devices.

Imagine a group of burglars who enter a house through an open window, then each go to a different room in the house. Even if a single burglar is discovered in one room, the others can continue stealing items. Similarly, lateral movement enables an attacker to enter the various "rooms" of a network — servers, endpoints, application access — making the attack difficult to contain.

While some aspects of it may be automated, lateral movement is often a manual process directed by an attacker or group of attackers. This hands-on approach enables attackers to tailor their methods to the network in question. It also allows them to respond quickly to security countermeasures applied by network and security administrators.

How does lateral movement happen?

Lateral movement starts with an initial entry point into the network. This entry point could be a malware-infected machine that connects to the network, a stolen set of user credentials (username and password), a vulnerability exploit via a server's open port, or a number of other attack methods.

Typically, the attacker establishes a connection between the entry point and their command-and-control (C&C) server. Their C&C server issues commands to any installed malware and stores collected data from malware-infected or remotely controlled devices.

Once the attacker has a foothold on a device inside the network, they perform reconnaissance. They find out as much as they can about the network, including what the compromised device has access to and, if they have compromised a user's account, what privileges the user has.

The next step for the attacker to begin moving laterally is a process called "privilege escalation."

Privilege escalation

Privilege escalation is when a user (whether legitimate or illegitimate) gains more privileges than they should have. Privilege escalation sometimes occurs accidentally in identity and access management (IAM) when user privileges are not tracked and assigned correctly. By contrast, attackers purposefully exploit flaws in systems to escalate their privileges on a network.

If they entered a network through a vulnerability or malware infection, attackers may use a keylogger (which tracks the keys users type) to steal user credentials. Or they may have entered a network initially through stealing credentials in a phishing attack. However they get it, attackers start with one set of credentials and the privileges associated with that user account. They aim to maximize what they can do with that account, then they spread to other machines and use credential theft tools to take over other accounts as they go.

To get the kind of access needed to cause maximum damage or reach their target, the attacker usually needs administrator-level privileges. They therefore move laterally through the network until they acquire administrator credentials. Once these credentials are obtained, this essentially gives them control over the entire network.

Camouflage and countermeasures during lateral movement

Throughout the process of moving laterally, the attacker is likely paying close attention to countermeasures from the organization's security team. For example, if the organization discovers a malware infection on a server and cuts that server off from the rest of the network to quarantine the infection, the attacker may wait for some time before performing further actions so that their presence is not detected on additional devices.

Attackers may install backdoors to ensure they can re-enter the network if their presence is detected and successfully removed from all endpoints and servers. (A backdoor is a secret way into an otherwise secure system.)

Attackers also attempt to blend in their activities with normal network traffic, since unusual network traffic may alert administrators to their presence. Blending in becomes easier as they compromise additional legitimate user accounts.

What types of attacks use lateral movement?

Many categories of attacks rely on lateral movement to either reach as many devices as possible or to travel throughout the network until a specific goal is reached. Some of these attack types include:

  • Ransomware: Ransomware attackers aim to infect as many devices as possible to ensure they have maximum leverage for demanding a ransom payment. In particular, ransomware targets internal servers that contain crucial data for an organization's everyday processes. This guarantees that, once activated, the ransomware infection will heavily damage the organization's operations, at least temporarily.
  • Data exfiltration: Data exfiltration is the process of moving or copying data out of a controlled environment without authorization. Attackers exfiltrate data for a number of reasons: to steal intellectual property, to obtain personal data for carrying out identity theft, or to hold the data they steal for ransom, as in a doxware attack or certain types of ransomware attacks. Attackers usually need to move laterally from an initial point of compromise to reach the data they want.
  • Espionage: Nation-states, organized cyber crime groups, or rival corporations may all have their reasons for monitoring activities within an organization. If the goal of an attack is espionage rather than pure financial gain, the attackers will try to stay undetected and embedded in the network for as long as possible. This contrasts with ransomware attacks, in which the attacker eventually wishes to draw attention to their actions in order to receive a ransom. It also differs from data exfiltration, in which the attacker may not care if they are detected once they get the data they were after.
  • Botnet infection: Attackers may add the devices they take over to a botnet. Botnets can be used for a variety of malicious purposes; in particular they are commonly used in distributed denial-of-service (DDoS) attacks. Lateral movement helps an attacker add as many devices as possible to their botnet, making it more powerful.

How to stop lateral movement

These preventative measures can make lateral movement much more difficult for attackers:

Penetration testing can help organizations close up vulnerable parts of the network that could allow lateral movement. In penetration testing, an organization hires an ethical hacker to stress-test their security by trying to penetrate as deep into the network as possible while remaining undetected. The hacker then shares their findings with the organization, which can use this information to fix the security holes that the hacker exploited.

Zero Trust security is a network security philosophy that does not trust any user, device, or connection by default. A Zero Trust network assumes that all users and devices present a threat and continually re-authenticates both users and devices. Zero Trust also uses a least-privilege approach to access control and divides networks into small segments. These strategies make privilege escalation much more difficult for attackers and make detecting and quarantining the initial infection much easier for security administrators.

Endpoint security involves scanning endpoint devices (desktop computers, laptops, smartphones, etc.) regularly with anti-malware software, among other security technologies.

IAM is a crucial component of preventing lateral movement. User privileges have to be closely managed: if users have more privileges than they strictly need, the consequences of an account takeover become more serious. Additionally, using two-factor authentication (2FA) can help stop lateral movement. In a system that uses 2FA, obtaining user credentials is not enough for an attacker to compromise an account; the attacker needs to steal the secondary authentication token as well, which is far more difficult.

Cloudflare One combines networking services with Zero Trust security services. It integrates with identity management and endpoint security solutions in order to replace a patchwork of security products with a single platform that prevents lateral movement and other attacks. Learn more about Cloudflare One.