Lateral movement is a threat actor attack technique that expands their access to multiple hosts and applications in an organization. After attackers compromise an endpoint, they may use lateral movement to maintain persistence in the network and gain access to higher-value assets and data.
Instead of launching a cyberattack the moment they gain initial access to your system, modern cybercriminals will wait and expand their capabilities first. Lateral movement distinguishes advanced persistent threats (APTs) from simple one-off cyberattacks that target a single system.
Threat actors’ primary goal is gaining access to valuable or sensitive data. Their second goal is to remain undetected for as long as possible. The longer they remain undetected, the more opportunities they have to exfiltrate or destroy data.
To do this, attackers will study their target’s network topology, steal users’ login credentials, and expand their presence throughout the network. The longer they do this without getting caught, the more destructive their eventual attack will be.
Sophisticated threat actors can do this without installing additional malware that risks triggering an incident response workflow. They may choose to “live off the land”, harnessing built-in tools and processes like PowerShell to further the scope and depth of their attack.
There are several things attackers can do when pursuing lateral movement through the network. These include increasing insider risk and reducing the effectiveness of your existing security policies.
Attackers rely on lateral movement to leverage escalated privileges when they decide to launch their ultimate attack. By spending time to learn your network’s vulnerabilities, they ensure the eventual attack will strike your weakest points while bypassing your defenses.
Threat actors may compromise legitimate credentials from authorized users and work their way up to an administrator’s account. From there, they can disable your security systems and lock IT staff out of their devices while conducting the attack.
As threat actors move laterally throughout your network, they pay close attention to your security policies and capabilities. They may notice that certain actions trigger incident response workflows — which teaches them how to avoid triggering a similar response themselves.
They may also prepare for eventual detection and response actions by installing secret access points to get back into your system. If threat actors install a backdoor on your network, taking action against them may have no effect. They can simply re-enter the system through the backdoor method they implemented.
Lateral movement does not respond well to most prevention-based security controls. Early detection is essential for keeping lateral movement risks at a comfortable minimum. The longer threat actors have access to network assets, the higher the danger of lateral movement becomes.
Fast and reliable detection is one of the best defenses against lateral movement. The speed of your detection and response workflow makes a significant difference in your overall exposure to lateral movement risks.
Instead of letting months pass by with threat actors lurking undetected on sensitive systems, security teams need to achieve much faster results. Ideally, a detection and response system resistant to lateral movement threats follows what Crowdstrike calls the 1-10-60 rule:
When an intrusion occurs, it should be:
Obtaining this kind of detection and response velocity is challenging, but achievable. Security teams that implement the right combination of technologies and leverage expert product knowledge to configure them appropriately are well protected from lateral movement risks.
1. Extended detection and response (XDR)
Your endpoint security capabilities play an important role protecting the organization from advanced persistent threats. Being able to detect and respond to endpoint threats quickly ensures threat actors won’t have enough time to conduct lateral movement on your network.
Endpoint detection and response (EDR) is critical to your security tech stack, but you need more to reliably protect against lateral movement. Extended detection and response (XDR) capabilities provide deeper insights across a much broader data set — including network, cloud, and identity data.
This is important because it provides actionable security data on each network asset threat actors interact with. When configured to leverage automation, it can block malicious executions and terminate unauthorized processes immediately.
2. Network detection and response (NDR)
Network detection and response (NDR) helps eliminate blind spots and ensure attackers can’t hide on your network indefinitely. These solutions capture and analyze network traffic data to identify potential threats. This distinguishes them from security solutions that look at endpoint usage or log data to detect unauthorized activity.
Leveraging an NDR solution like ExtraHop gives your security team deep, contextual data that helps uncover lateral movement attempts. For example, it can detect credential enumeration techniques that indicate a threat actor is systematically attempting logins using a pre-made list of usernames and passwords.
3. User entity and behavioral analytics (UEBA)
Behavioral analytics offers one of the best defenses against lateral movement. Unlike many other security technologies, user entity and behavioral analytics (UEBA) is designed to detect malicious insiders and credential-based attacks.
These solutions work by gathering and analyzing key data from assets throughout the network. Then they match that data against a previously established baseline model that represents routine activity. Activity that consistently deviates from the baseline triggers alerts of increasing severity, prompting rapid investigation.
Defining and maintaining an accurate baseline is vital for UEBA success. AI-powered detection tools like these perform their best when configured with highly specialized product expertise and outfitted with custom rules.
4. Zero trust architecture
Preventing lateral movement is one of the principal benefits of zero trust architecture. When your network is designed to limit access between different network segments, and avoids automatically granting trust to authorized users, moving laterally is much harder.
Employing the principle of least privilege and microsegmentation for high-risk assets helps keep lateral movement risks at a minimum. Even if attackers do bypass these defenses, they are likely to leave a highly visible trail that your other security technologies will pick up on.
This creates a multi-layered security posture that keeps threats from developing persistence and escalating their privileges. When combined with a sophisticated security tech stack configured by industry experts, your zero trust network can consistently repel attacks from advanced threat actors.
