What is
Lateral Movement?

There are three stages of lateral movement used in most cyberattacks:

1. Reconnaissance. During this initial stage, the attacker explores and maps the business’s network, devices, and users. They use this stage to get to know the company’s network hierarchies, host naming conventions, various operating systems, location of potential payloads, and further intelligence to make any additional moves throughout the system.
2. Credential dumping and privilege gathering. To move through any network with minimal-to-no-detection, a threat actor needs valid login credentials. The commonly used term for illegally obtaining network credentials is “credential dumpling.” One way cybercriminals do this is by fooling users into sharing their credentials via phishing attacks and typosquatting.
3. Gaining access to other communication and computing points in the network. Once inside the network, the attacker can repeat the process, bypassing security controls to thwart and compromise successive devices until ultimately detected and stopped.

Lateral movement gives the threat actor the ability to avoid detection and response by a company's security teams. With this free movement throughout a network and lack of detection, they can retain access, even if the IT team recorded the system's or machine's initial infection.

Lateral movement allows an extended dwell time for the threat actor, allowing them access to a system for weeks or months after the initial breach. It is a trap that gives the company's detection and response team a false sense of security, causing everyone to let their guard down, leaving the system open to data theft.

Lateral movement manifests and presents as obvious, anomalous network activity, making it suspicious to vigilant IT teams right away.

For instance, if a device or computer that usually communicates with a select few other devices and their users starts randomly scanning the network, it is time to take note and prepare to respond. Any activity out of the norm is worthy of a response. Even if it is not a clear lateral movement scenario, it is better to investigate and dismiss it as an organic aberration in the course of business than taking the risk of letting it pass.

It is difficult for cybersecurity teams to do this while performing core business and other daily activities. They need a reliable and dynamic application that monitors how their network applications communicate, allowing them to provide vulnerability exposure insights.

With all the necessary observations and information, the application takes control of container software, for example, as well as bare-metal and virtual machines to provide network security to stop threat actors before they gain access, preventing them from lateral movement and administrative privileges.

Lateral movement. Two words that are synonymous with "breach" these days. What exactly is lateral movement? And how do you stop it from happening? Illumio's Neil Patel and Dan Gould "take 90" to explain.

Discover how Zero Trust segmentation can help protect your organization.