Skip to content

What is Lateral Movement, and how to prevent it?

May 17, 2021
It is not uncommon for organizations to hear the term “Lateral Movement” after an audit result or notice they have this vulnerability after a pentest or attack simulation. But in most cases, there are no insights into these reports on how you can tackle it. 
This post will attempt to make Lateral Movement relatable and highlight how you can understand what it looks like in your environment.
Lateral Movement refers to the techniques threat actors use to identify systematically, move between, and compromise assets of value within an organization’s network.  We can simplify the process by relating the activities to physical security; in this case, a thief attempting to burgle a property.
Can an entry point, an open door, or window be identified to gain access? Is there a key left under the mat? Once entry is gained, are there any alarms or locks protecting rooms of interest; and how far can we spread throughout the building until we find something of value or get blocked from entering any more rooms?
What does Lateral Movement look like for the company? It is a tricky question to answer and does not get clearly articulated due to its complexity. So, let’s start understanding how a Breach and Attack Simulation platform can detect this attack and then move on to understanding the challenges.

How does the Lateral Movement attack work?

In practical terms and to better understand how Lateral Movement works, let’s assume that there are three main items in a house: the keys, the front door, and the windows.
By comparing it to the case of the thief (mentioned earlier in the text), we will understand what loopholes and vulnerabilities can make it easier for the criminal to move around.

The keys: tickets, tokens, credentials

The keys can resemble accounts with excessive privileges, be it a specific user account or a service account, credentials saved in plain text, browsers, or applications. Whether or not security controls will permit and detect techniques that supply threat actors the keys, including kerberoasting, responder poisoning, password spraying, etc.

The front door and moving between rooms - Network routing, ports, and protocols

Are there open ports and protocols in place that can permit Lateral Movement, and can they be used to propagate and navigate throughout the environment - and if so, how far?  Is it possible to bridge networks? Is my firewall correctly configured? Is my network segmentation working effectively?  Can someone move from our DMZ network to our production network?  If someone compromised a device via phishing in our finance department, how far could they move within our environment based on our current configurations? How long would it take to detect that behavior?

Other doors and Windows - Patching and legacy/BYOD devices

Let’s check some common questions:
  • Are we up-to-date with our patching?
  • Have we omitted to patch a device because of its role, and if so, what is the level of risk that creates?
  • How can I quantify and prioritize patching related to Lateral Movement? 
  • What exploits and vulnerabilities would allow someone to move into the network successfully?
  • What risks are posed by allowing Bring Your Own Device platforms into my networks?
  • Have I accounted for their security as well, and have I segmented out the networks they will use?
  • Are legacy systems that may not even be restricted or patched in the same way as current systems – allowing attack surfaces to be leveraged?

Building the image of Lateral Movement

After identifying these three items, it is possible to build an image of what Lateral Movement looks like in the company and prevent it. Think about the following questions:
  • Are there quick wins such as dealing with over-privileged accounts and improving firewall configurations?
  • Can we prioritize the application of patches in a given network segment that is most critical to our business? 
  • Is our Security Operation Center service capable of detecting and reacting to Lateral Movement?  
  • What can we do to improve our existing controls before we start looking at tools?

How to Prevent Lateral Movement

Continuous Security Validation platforms allow organizations to test their security controls against thousands of simulated attacks and techniques on-demand or on schedule, including Lateral Movement simulations.
Unlike traditional testing, it is not bound by scope or timeframe and provides continuous assurance and visibility into the effectiveness of your security controls, even against the latest threats.
Because of their class-leading UI and rich reporting, organizations of any size or vertical can quickly and effectively gain instant insight and identify gaps in their security controls while receiving actionable insights for full kill-chain mitigation.
The Endpoint Security module from Hivecore’s Breach and Attack Simulation platform challenges your endpoint security controls. It identifies whether they are configured and adjusted correctly to protect your company from behavioral and signature attacks.
This enables an organization to deploy and run simulations of ransomware, trojans, worms, and virus in a controlled and secure manner. In this way, the endpoint attack simulation verifies that security controls are set up correctly and protects critical company assets from the latest attack methods used by attackers.
It is also necessary to understand which assets and configurations exist in the organization’s network that can be discovered, compromised, and used by something or someone trying to move laterally (tickets, tokens, credentials, network, and routing, etc.).
The lateral movement module allows an organization to safely and continuously test its environment to see what resources are available for an attacker to move laterally and which defenses effectively prohibit an attacker from using them.
This is essential for companies to test their environment without interrupting operations. With the integration with a vulnerability scanner, the platform can identify weaknesses even more effectively.


Lateral Movement is an extensive term, and the key to understanding it is gaining visibility.  The best way to do that is using a platform that allows you to continuously test and demonstrate what Lateral Movement looks like in your organization.
Test the effectiveness of your security controls against possible cyber threats with a trial of Hivecore’s Breach And Attack Simulation platform. Learn more at 

Source: HiveCore 

Scroll To Top