PEAK Threat Hunting Framework
Hunt smarter, right now. Download The PEAK Framework for free.
What Is Lateral Movement?
A common cybersecurity threat, “lateral movement” refers to the process of exploring an infected network for potential vulnerabilities to exploit.
Lateral movement comes after the discovery phase of a hacker or threat actor’s cyberattack journey. In the lateral movement phase, the adversary has already gained access to a target network — but not yet reached their intended target.
The goal of lateral movement is to discover vulnerable assets and processes that can help the adversary to:
- Acquire escalated access privileges to the system.
- Deliver a malicious payload to a target server, reachable only with certain access rights.
Let’s take a deep dive into this nefarious activity.
The lateral movement threat today
Of the many tactics, techniques, and procedures (TTPs) that adversaries can use, lateral movement is very common. In fact, research finds lateral movement happens in approximately 25% — a quarter! — of all cyberattacks.
This highlights a stark image of the state of cybersecurity, particularly in the enterprise IT segment. It appears that a majority of threat vectors involve both social engineering and a human element that is capable of network intrusion. Malicious actors may exploit human vulnerabilities: lacking enough security awareness, unintentionally falling prey to social engineering attacks, or both.
This entry point opens the path to lateral movement in many ways.
Lateral movement phases
The idea behind lateral movement is simple: access a network, discover the inner workings of its authorization controls and processes, then inject a malicious payload to acquire elevated access privileges to further compromise the target systems.
These are summarized in three stages of the cyberattack kill chain:
- Step 1. Reconnaissance: Malicious actors observe the inner workings of the network. This includes how users access information and the processes established to enforce access controls.
- Step 2. Escalating their privileges: The adversary uses social engineering techniques to trick users into sharing sensitive information, such as login credentials from a higher tier user account.
- Step 3. Gaining access: Finally, the adversary compromises target hosts while keeping under the radar. At this point, the threat actors have already bypassed the access controls — but proper security measures may prevent them from exfiltrating data. Cybercriminals may employ botnets and ransomware techniques to compromise target networks, which may render traditional security measures ineffective against the threats originating from the internal network.
Cyber Kill Chain®, Lockheed Martin (Image source)
Lateral movement techniques & examples
The most common approach is an extension of the social engineering ploy: in the form of an internal spear phishing attack. Consider the case where the threat actors have already compromised a user account. They could, in this order:
- Impersonate a legitimate employee via internal email, messaging, and other tools.
- Talk their way to other employees/system users with elevated access.
- Convince those users to click on a malicious link, which downloads the payload to servers with higher access control restrictions.
In the age of Artificial Intelligence, this can be achieved in creative ways. In May 2024, malicious actors posed as a chief financial officer (CFO) of a British engineering firm by means of an AI deepfake. The outcome? They stole $25 million.
Other common attack vectors include:
- SSH hijacking
- Remote service exploitation
- Pass the Hash (PtH) attacks
- Pass the Ticket (PtT) attacks
These attacks require access to sensitive information such as:
- Configuration files
- Algorithms
- User credentials
- Authentication protocols, such as Kerberos
How to defend against lateral movement attacks
So, how can you defend against lateral movement attacks? In most cases, the standard cybersecurity controls and best practices can help your organization protect against activities the lateral movement discovery and execution phase.
Consider the following security strategies:
Train & build awareness against social engineering
Since the lateral movement appears at a later stage of the cyber kill chain, the good news is that business organizations can equip their users to defend against lateral movement attacks before they begin.
Empower them with the knowledge and discipline to avoid spear phishing attacks:
- Do not click links or run files that appear malicious.
- Use strong login credentials.
- Err on the side of caution — even when communicating with colleagues.
Intrusion detection and prevention techniques
Segment and isolate sensitive network locations and protect them with elevated access controls.
Employ deception techniques to lure malicious threat actors. Honeypots can be deployed as fake assets and potential targets for actors engaging in lateral movement activities. Trigger alerts when a user attempts to exploit them and automate control actions against the compromised user accounts.
(Related reading: intrusion detection systems & intrusion prevention systems.)
Behavioral analytics and access patterns
It may be possible that malicious actors hide behind legitimate computing requests. By analyzing user access patterns based on contextual information — such as the past activities of the user and relevant environment variables — you can assign a threat score to computing requests that may appear legitimate.
For example, a compromised user account may be used to exfiltrate just enough data to remain undetected by an intrusion detection and prevention system, but the actual actions may be highly irregular for the particular user account in question.
Therefore, it is important to establish monitoring and observability for real-time and proactive detection.
Zero trust security measures
No cybersecurity tool is 100% secure: that’s impossible. Vulnerabilities and zero-day exploits can render sophisticated security measures ineffective against lateral movement attacks.
However, you can employ a strict zero trust security strategy that allows, for every user, only the bare minimum access privileges required to perform their assigned job tasks. This is also called the principle of least privilege and is a part of an extensive zero-trust security policy that assigns the same principles to users, technologies and processes.
Detect & prevent lateral movement with Splunk
Splunk is a leader in both observability and cybersecurity, with our unified platform. Learn more and explore Splunk solutions.
Already use Splunk solutions? These resources will certainly help:
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
