When an attacker gains initial access to your network, the breach is only the beginning. To reach sensitive systems and data, hackers rely on lateral movement to venture deeper into your network, escalate privileges, and expand the attack surface.
If you prevent lateral movement, every breach doesn’t have to spell disaster. We’ll explore the most common lateral movement techniques and offer tips to cut off attackers’ pathways in real time.
What Are Lateral Movement Techniques?
Lateral movement techniques are the methods cyber attackers use to move through a network after gaining initial access. These tactics help them:
- Deploy persistence mechanisms to maintain access
- Escalate privileges
- Discover new systems and credentials
- Reach high-value targets (like domain controllers or sensitive databases)
Lateral movement is so pervasive that the MITRE ATT&CK framework classifies it as one of the core tactics used in modern cyberattacks. While a hacker may gain access to the network from phishing or compromised credentials, lateral movement techniques are how hackers turn an initial breach into an expansive attack.
Common Lateral Movement Techniques
Though cyber threats are constantly evolving, many common lateral movement techniques fall into categories like:
- Session hijacking: Attackers take control of existing sessions with remote services
- Remote services: Using valid accounts, attackers log into services that accept remote connections and perform actions as the logged-on user
- Alternate authentication: Attackers bypass normal controls through the use of materials like password hashes, access tokens, and Kerberos tickets
Other lateral movement techniques fall outside of these groups but can prove equally destructive. And in fact, attackers rarely rely on a single technique; instead, they often string tactics together to stay undetected and maintain momentum.
Living off the Land (LotL)
Instead of deploying external tools, attackers use built-in utilities like PowerShell, PsExec, or Windows Management Instrumentation (WMI) to move laterally with this technique. Because these tools are part of the operating system, their use blends in with regular network traffic.
Exploiting Weak Passwords
Simple or reused passwords make it easy for hackers to guess, brute-force, or reuse credentials across multiple systems. Once they access one asset, attackers often use those same credentials to pivot to others.
Pass-the-Hash (PtH) Attacks
In a PtH attack, adversaries use a hashed version of a password to authenticate without decrypting it. This technique is especially effective in environments that use NTLM and lack proper segmentation or identity enforcement.
Pass-the-Ticket (PtT) Attacks
Common in Active Directory environments, PtT attacks use stolen Kerberos tickets to impersonate users and access systems without needing passwords, enabling access to sensitive internal services. In a Golden Ticket attack, the ticket granting ticket (TGT) is stolen, allowing attackers to impersonate any user; Silver Ticket attacks steal service tickets, which enable more limited authentication.
Internal Spear Phishing
After gaining access to an account, attackers send convincing phishing emails from within the organization to carry out this lateral movement technique. This tactic is more likely to succeed due to the internal sender and known context.
Kerberoasting
This technique involves requesting service tickets for accounts with access to a particular service and attempting to crack them offline. Service accounts with weak passwords are frequent targets, especially when they hold administrative privileges. Kerberoasting is stealthier than a PtT attack since it doesn’t generate unusual network activity.
Credential Dumping
Credential dumping extracts usernames, password hashes, or plaintext credentials from memory, local files, or the registry. The credentials are then used in other lateral movement techniques, such as PtH attacks, PtT attacks, or RDP login attempts.
Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM)
Two examples of remote services exploitation, RDP and WinRM attacks use stolen credentials to remotely access systems and perform actions as the logged-on user. Without strong controls like MFA, this movement can remain undetected for long periods.
Server Message Block (SMB)
Another technique involving remote services, this method allows attackers to interact with a remote network share by logging in with stolen credentials. Since the SMB protocol is primarily used to access files, printers, and serial ports, it’s an easy way for attackers to move laterally through a network.
SSH Hijacking
Attackers can hijack active SSH sessions to gain the same access held by the original user and remotely execute commands on a system. Because it leverages a legitimate user’s existing SSH session to move laterally, this technique often allows adversaries to go undetected.
Lateral Movement Protection: Why Detection-only Strategies Fall Short
Many organizations rely on tools like endpoint detection and response (EDR) systems or security information and event management (SIEM) platforms to detect lateral movement. While detection is important, it’s an incomplete strategy for locking down lateral movement. According to António Vasconcelos, Customer Engineer at Zero Networks, “These are all areas of detection after the fact. There is naturally a lot of effort in preempting things, but ultimately it will require some form of action to get to the point where an alert is issued ... Visibility provides ways of understanding possible attack vectors and paths that organizations need to invest in to bolster security; unfortunately, more often than not, organizations don't have such a strategy defined, where detection is part of a cycle of continuous learning and improvement.”
Once attackers are inside a network and moving laterally, the window to contain them narrows quickly – detection often takes too long to prevent damage. Attackers typically begin moving laterally within 30 minutes of initial compromise, and with so many lateral movement techniques involving native tools or valid accounts, malicious behavior can be hard to distinguish from legitimate activity. Instead of relying solely on detection, organizations must also find ways to prevent lateral movement entirely.
How to Block Lateral Movement Techniques in Real Time
Patching entry points won’t effectively prevent lateral movement; to block attackers’ favorite techniques, organizations have to eliminate the internal pathways attackers rely on. The most effective strategies combine network segmentation, identity controls, and real-time access enforcement.
Key approaches to eliminate lateral movement span:
- Microsegmentation: Enforce least-privilege access to limit communication between systems to what’s explicitly allowed, isolating every asset to leave hackers stranded.
- Multi-factor authentication: Apply MFA to privileged ports and services inside the network, making lateral movement techniques that rely on stolen credentials irrelevant.
- Identity-based access controls: Grant access based on verified identity and purpose, not just IP address or location.
- Automate policy management: Leverage automation-enabled solutions to dynamically generate rules based on observed behavior and continually update policies as the environment evolves.
Even if attackers manage to breach the network, measures like these cut off their pathways and lock down lateral movement.
Stop Lateral Movement Before It Starts with Zero Networks
Zero Networks turns lateral movement pathways into dead ends with effortless microsegmentation. By orchestrating native firewalls to secure every asset, applying just-in-time MFA at the network layer, and automatically enforcing adaptive policies that evolve alongside your network, Zero ends privilege escalation and maintains dynamic granular controls.
Protect your network from today’s most common lateral movement techniques while future-proofing your security strategy against new threats – try Zero to learn how.