What is Lateral Movement? 

Lateral movement is how attackers jump from one device to another inside a network, trying to reach valuable data. It’s like a thief hopping from room to room after breaking in.

The 3 Stages of a Lateral Movement Attack

Here are the three stages of a lateral movement attack.


Reconnaissance or recon is when a cyber attacker gathers info about the target network and remote systems. The threat actors are looking to understand the virtual layout of the network, such as:

  • Where the servers are
  • Information about security teams and their approaches
  • If they have any software vulnerabilities

Reconnaissance methods often include port scanning, network mapping, and vulnerability scanning. Once the attacker has gathered enough information about the target network, they move on to the next stage of this sophisticated attack.

Credential Dumping and Privilege Escalation

During this stage, the attacker attempts to obtain login credentials from the compromised system using phishing attacks, brute force attacks, or SQL injection attacks. Over 80% of breaches within hacking involve brute force or the use of lost or stolen login credentials. 

Once the attacker has valid credentials, they are then able to gain initial access to other systems on the network or higher-privileged access to sensitive data.  

Gaining Unauthorized Access and a Foothold Into the Corporate Network

Once the attacker has obtained valid credentials, they will then use them to gain further access to other systems on the network. 

By spreading to other servers, attackers gain initial access and control over the network, making it possible to carry out their malicious activities such as data exfiltration, implanting malware, or staging attacks on customers of the infiltrated company–known as supply chain attacks.

How to Detect Lateral Movement

There are several indicators of lateral movement, including:

  • Increased Network Traffic: Unusual activities in network traffic may be a clear indicator of lateral movement present, as attackers will often try to move large amounts of data out of the system as they progress.
  • Unusual Access Patterns: For example, if a user is accessing systems or data that they normally would not have access to, this can be a tell-tale sign that their login credentials were compromised and an attacker is using them to gain access to sensitive data.
  • Suspicious Activity at Login: One of the easiest ways an attacker can bypass credentials is through third-party software systems. Access should only be granted to third parties on a “need to know” basis once authorization has been cleared, leveraging the principle of Zero Trust

Lateral Movement Example

A prime example of lateral movement is a Pass-the-Hash (PtH) attack. In this scenario, the attacker obtains stolen credentials and is able to bypass authentication. Decrypting the password hash is not needed to crack the password since the passwords are stored. 

A Pass-the-Hash attack is when these hashed credentials are used as a stand-in for plain text logins to authenticate with the system using hacking tools. Attackers have found a way to exploit authentication protocols such as Single Sign-On (SSO) or Kerberos.

Windows New Technology LAN Manager (NTLM) users are at the highest risk due to weak cryptography and other security vulnerabilities. 

How to Prevent Lateral Movement Attacks with ZTNA

One of the best lines of defense for preventing lateral movement technique is ZTNA.

ZTNA or Zero Trust Network Access verifies the identity of users and devices before any access is granted to company resources through strict and continuous authentication and authorization checks. 

ZTNA supports network segmentation and micro segmentation of networks, which divides networks into smaller network segments to reduce the attack surface. This helps prevent lateral movement attacks as it limits the amount of access that users and devices have to systems and data.

Best Practices to Prevent Lateral Movement

Here are the best practices that significantly reduce the risk of attackers infiltrating your systems and stealing sensitive data like intellectual property (IP).

1. Protecting Your Network Foundation:

  • Operating Systems: Ensure all systems, including desktops, servers, and mobile devices, are kept up-to-date with the latest security patches. Outdated software is a common target for attackers.
  • Remote Services: Minimize the number of exposed remote services and only allow access through secure protocols. This reduces potential entry points.

2. Multi-Factor Authentication (MFA):

  • Implement MFA as a mandatory requirement for all access points, including internal systems and remote connections. This adds an extra layer of security beyond passwords, making it significantly harder for attackers to use stolen credentials (even if they compromise a legitimate user’s login).

3. Principle of Least Privilege:

  • Grant users only the access privileges they need to perform their jobs. This minimizes the potential damage if an attacker gains access to a low-privilege account. Avoid using privileged accounts for daily tasks.
  • Network Hierarchies: Segment your network into different zones with varying security levels. This makes it harder for attackers to freely jump between critical systems and sensitive data.

4. Continuous Monitoring and Threat Detection:

  • Implement security controls that monitor network activity in real time for abnormal behaviors. These can include failed login attempts, unauthorized access to sensitive data, or unusual data transfers. Early detection allows for faster response and potential containment before attackers can establish persistence.
  • Be aware of common techniques used in lateral movement, such as exploiting vulnerabilities in domain controllers to steal credentials and escalate privileges.

5. Protecting the Crown Jewels:

  • Implement stricter security measures around privileged accounts, as these are prime targets for attackers seeking elevated privileges.
  • Regularly monitor privileged account activity and consider solutions that require additional authorization for high-risk actions.

By combining these practices, you create a layered security approach that deters attackers throughout the attack lifecycle.

Prevent Lateral Movement with Perimeter81

Perimeter 81’s ZTNA solution easily integrates with all leading Identity Providers (IdPs) and can be deployed in a matter of minutes across the organization.

Don’t wait until a threat actor has penetrated your network, and take a proactive approach.

Get ZTNA secured with Perimeter81 today. 


What is the difference between lateral movement and a security breach?
A security breach is the initial unauthorized access to a system. Lateral movement describes how attackers navigate within a network after gaining access, often using stolen credentials.
How do attackers gain legitimate credentials for lateral movement?
Phishing emails, malware, and social engineering are common tactics to trick users into revealing legitimate credentials.
How can organizations prevent lateral movement attempts?
Implement multi-factor authentication, enforce least privilege access controls, and monitor user behavior for suspicious activity.
What are some of the potential threats arising from lateral movement?
Attackers with lateral access can steal valuable assets, deploy ransomware, or disrupt critical systems.
How can threat intelligence help against lateral movement?
Threat intelligence provides insights into attacker tactics and techniques, allowing organizations to proactively defend against lateral movement attempts.

Looking to secure your remote workforce?

Simplify your network security today with Perimeter 81