A common cybersecurity threat, “lateral movement” refers to the process of exploring an infected network for potential vulnerabilities to exploit.
Lateral movement comes after the discovery phase of a hacker or threat actor’s cyberattack journey. In the lateral movement phase, the adversary has already gained access to a target network — but not yet reached their intended target.
The goal of lateral movement is to discover vulnerable assets and processes that can help the adversary to:
Let’s take a deep dive into this nefarious activity.
Of the many tactics, techniques, and procedures (TTPs) that adversaries can use, lateral movement is very common. In fact, research finds lateral movement happens in approximately 25% — a quarter! — of all cyberattacks.
This highlights a stark image of the state of cybersecurity, particularly in the enterprise IT segment. It appears that a majority of threat vectors involve both social engineering and a human element that is capable of network intrusion. Malicious actors may exploit human vulnerabilities: lacking enough security awareness, unintentionally falling prey to social engineering attacks, or both.
This entry point opens the path to lateral movement in many ways.
The idea behind lateral movement is simple: access a network, discover the inner workings of its authorization controls and processes, then inject a malicious payload to acquire elevated access privileges to further compromise the target systems.
These are summarized in three stages of the cyberattack kill chain:
Cyber Kill Chain®, Lockheed Martin (Image source)
The most common approach is an extension of the social engineering ploy: in the form of an internal spear phishing attack. Consider the case where the threat actors have already compromised a user account. They could, in this order:
In the age of Artificial Intelligence, this can be achieved in creative ways. In May 2024, malicious actors posed as a chief financial officer (CFO) of a British engineering firm by means of an AI deepfake. The outcome? They stole $25 million.
Other common attack vectors include:
These attacks require access to sensitive information such as:
So, how can you defend against lateral movement attacks? In most cases, the standard cybersecurity controls and best practices can help your organization protect against activities the lateral movement discovery and execution phase.
Consider the following security strategies:
Since the lateral movement appears at a later stage of the cyber kill chain, the good news is that business organizations can equip their users to defend against lateral movement attacks before they begin.
Empower them with the knowledge and discipline to avoid spear phishing attacks:
Segment and isolate sensitive network locations and protect them with elevated access controls.
Employ deception techniques to lure malicious threat actors. Honeypots can be deployed as fake assets and potential targets for actors engaging in lateral movement activities. Trigger alerts when a user attempts to exploit them and automate control actions against the compromised user accounts.
(Related reading: intrusion detection systems & intrusion prevention systems.)
It may be possible that malicious actors hide behind legitimate computing requests. By analyzing user access patterns based on contextual information — such as the past activities of the user and relevant environment variables — you can assign a threat score to computing requests that may appear legitimate.
For example, a compromised user account may be used to exfiltrate just enough data to remain undetected by an intrusion detection and prevention system, but the actual actions may be highly irregular for the particular user account in question.
Therefore, it is important to establish monitoring and observability for real-time and proactive detection.
No cybersecurity tool is 100% secure: that’s impossible. Vulnerabilities and zero-day exploits can render sophisticated security measures ineffective against lateral movement attacks.
However, you can employ a strict zero trust security strategy that allows, for every user, only the bare minimum access privileges required to perform their assigned job tasks. This is also called the principle of least privilege and is a part of an extensive zero-trust security policy that assigns the same principles to users, technologies and processes.
Splunk is a leader in both observability and cybersecurity, with our unified platform. Learn more and explore Splunk solutions.
Already use Splunk solutions? These resources will certainly help:
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.