Lateral Movement in Cybersecurity: A Guide for Defenders

Gaining access to a single system is rarely an cyber attacker's ultimate goal. Once inside a network, attackers will almost always need to break out of that network to maintain persistence, conduct reconnaissance, and look for ways to escalate their privileges. They will look for credentials to steal, files to infect, vulnerabilities to exploit, and attack paths that provide access to their ultimate targets.

Adversaries continue to become faster, smarter, and more elusive. According to the "CrowdStrike 2025 Global Threat Report," the average eCrime breakout time — the time it takes for an adversary to move from an initially compromised host to another within the target organization — was 48 minutes in 2024, down from 62 minutes the previous year. The fastest recorded breakout time? Just 51 seconds.

Nine out of 10 ransomware attacks significantly involve lateral movement, effectively demonstrating the depth of the problem. High-profile breaches weren't isolated incidents; nearly every major breach now involves the use of this tactic and preventing it early must now be one of any organization's top priorities.

Lateral Movement and Active Directory

Lateral movement broadly refers to an attacker's activity within the network after penetrating perimeter defenses, utilizing various tactics, techniques, and procedures (TTPs). Today's organizations must understand these TTPs and ensure their controls are effective across local, remote, and cloud attack surfaces. The ATT&CK framework, developed by MITRE, plays a beneficial role in understanding attackers' techniques and tactics by providing guidance for identifying security gaps and the controls they can use to address them.

It's important to consider the role played by both endpoint protection and identity protection and how these security tools work together. Active Directory (AD) is often co-owned by multiple departments, and organizational complexity can often leave this critical and highly vulnerable application without adequate protection. Incorporating AD into a lateral movement program should be a priority; After all, if the attackers can compromise the AD, it's clearly game over for the defender.

Today, attacks are also escalating from the on-prem surface of the AD to the cloud! The problem is becoming more complex, and rapid correlation of events is required to detect in time what we know will happen later.

Stages of Lateral Movement

The first stage prior to lateral movement is reconnaissance. As the name suggests, this is the stage in which attackers explore the areas of the network they have access to, identify vulnerabilities, and search for critical assets. This activity helps attackers understand organizational data, such as host naming conventions and network hierarchies, and helps them locate valuable information and systems.

Attackers often use tools such as Netstat, net, and PowerShell to gain a lay of the land within the network and determine its defenses. These tools can be difficult for defenders to detect and are often referred to as “Living off the Land (LotL)” attacks or tools. Some other cyber actors use tools such as AdFind or Bloodhound for the same purpose. Effective reconnaissance helps attackers better plan their movements.

The typical next stage involves credential misuse. Valid credentials are gold for attackers. For the fifth year in a row, Gartner reports the No. 1 cause of cybersecurity breaches is, yet again, stolen credentials. Attackers are using your front door! They don't hack, They log in. Here is where Threat Intelligence Platforms play a critical role in preemptive cyber defense to identify compromised accounts already circulating in some forum or market. Eliminating standing privileges, keeping a good identity security posture management and securing access where attackers strike most obviously is a must in a security architecture and identity security program.

Social engineering tactics such as phishing and business email compromise (BEC) attacks that include keyloggers are typical tactics used by attackers to covertly obtain valid credentials, although they are far from the only methods. Using valid credentials is an excellent way for attackers to move within the network without raising any alarms.

In that sense, Microsoft reported a nearly triple increase in these targeted attacks against its customers in the one-year period ending in June 2024 and approximately 8 out of 10 human-operated ransomware incidents began with an identity compromise.

The adversary's playbook also includes privilege escalation. Attackers want to exploit the AD by discovering its resources on the network and gaining privileges that allow them to change security controls and remain hidden. Ultimately, attackers want to escalate their privileges to administrator status, which typically means compromising the AD. If the attacker can compromise the enterprise directory service, they essentially have the keys to the kingdom, and it's ultimately difficult to remove them from the network.

Suppose an attacker has been able to perform reconnaissance, gain access to credentials, and escalate their privileges. In that case, they will likely repeat the process on multiple hosts until they find what they are looking for: user data, financial information, intellectual property, or other assets. Without strong network security, attackers can search for valuable data indefinitely. Stopping this behavior is possible and becomes somewhat more manageable when organizations use "technique-based detection" rather than relying solely on pattern matching or identifying signatures.

Lateral Movement Detection

Active Directory is notoriously difficult to secure, and “red teams” in their security exercises often point out that they can compromise it almost 100% of the time, which means attackers can do it too.

Recent incidents underscore the fact that it is impossible to stop all attacks, so it is critical to have a plan for what happens once an attacker is inside the network. Organizations must visualize potential attack paths and identify exposed and compromised credentials, permissions, and rights because attackers will exploit them. Visibility into attack paths can also help defenders anticipate attackers' actions, allowing them to automate some aspects of defense, such as knowing where credentials are stored and which assets they are targeting. This growing problem stemming from the pandemic has led to the creation of acronyms such as ITDR and ISPM to seek a solution for comprehensive security of the Active Directory surface.

The use of another preemptive cyber defense measure and of huge impact, such as cyber deception, can go a long way here. Detecting lateral movement isn't just about identifying and fixing vulnerabilities; defenders can also cloak or hide real credentials, AD objects, and the files that attackers are looking for. Hiding production assets and sending false information to attack tools distracts attackers from their original objective. Furthermore, cyber deception based on fake credentials and other decoy assets designed to look authentic allows attackers to be tricked into interacting with them and revealing their presence. Once an attacker has "engaged into" this fake surface, defenders can safely study and gather information about the attacker’s intentions. The attacker, meanwhile, remains blissfully unaware that the environment they are in isn't real. Early detection is the main goal and reduces the dwell time of the adversary.

Endpoint-level deception techniques are essential, as an attacker won't magically fall into a network trap. You can have a network flooded with traps, but I assure you that the attacker will successfully achieve their objective without touching a single one.

This tactic is especially valuable when it comes to securing the AD. Log and event management using SIEM tools provides incomplete information and represents a reactive rather than a proactive approach to security in these scenarios. Hiding critical AD objects, such as privileged accounts, domain controllers, and local administrator accounts, can potentially prevent attackers from extracting the information needed to elevate their privileges and escalate their attacks.

Effective alerts on unauthorized or suspicious AD queries can generate alerts from the attacker's point of view, mitigating their potential progress and damage. This will also strengthen a "zero trust" strategy that limits access to only trusted or validated applications for specific data within the user's context.

The importance of deception technology, both the endpoint and network security reference architectures, has been highlighted and endorsed during 2024 by Gartner.

From an endpoint perspective, deception technology is designed for “peri-execution” attack detection. It highlights deception technology as part of peri-execution techniques that are meant to block unwanted actions upon execution. The easy way is to implement honeytokens and honey accounts for this purpose.

From the network perspective: Deception is deployed to monitor and respond to a network intrusion. In particular, Cyber Deception technology detects lateral movement, as the attacker moves from a compromised endpoint toward a deceptive network artifact.

Focus on Lateral Movement

Lateral movement detection remains a critical but neglected area of ​​security. The message that organizations must shift their focus from perimeter protection to network-based defenses is not new, and therefore it is critical that they be able to prevent and detect these movements early.

It is essential to understand that lateral movement is not just one phase of an intrusion; and for comprehensive protection, defenders need to include the ability to detect credential misuse and attacks on the AD. A security program without network-based detection is like a house without beams to support its interior; it may appear stable from the outside, but sooner or later, it is likely to collapse.