What is lateral movement?

Network lateral movement, or lateral movement, refers to cyberattackers’ techniques to move through a network. Lateral movement allows the cybercriminal to move deeper into the compromised system to locate sensitive data and access privileged information.

After gaining access to the system, the cybercriminal impersonates an authorized user and moves throughout the network to achieve their objective. The attacker gathers information across multiple operating systems and accounts, obtains credentials, and gains access to unauthorized areas.

The stages of lateral movement 

When detecting lateral movement, consider these three main steps:

  • Reconnaissance. At the beginning of the breach, the attacker surveys the scene by exploring the network and gathering information on the network’s map and users. After the attacker has identified and determined critical areas to access, they gather the necessary credentials that allow entry.
  • Credential/privilege gathering. The next step is credential dumping, the act of stealing credentials to access the network. Common tactics to gain login credentials include phishing attacks or the use of keylogging tools. 
  • Gaining further access. Once the cyberattacker infiltrates the network, they can perform internal reconnaissance and dive deeper into the system. They will continue navigating the network until they achieve their end goal. 

Once an attacker infiltrates a network, it may be hard to pinpoint lateral movement because human attackers can disguise their movement as regular employees to avoid detection. It is vital to locate and remove cybercriminals to mitigate any damage and avoid unnecessary costs.

How Armis detects threats

Concerned about threat actors moving throughout your IT systems? Learn more about Armis and how our security solution passively monitors managed and unmanaged devices on your network to protect enterprises from cyber threats and prevent lateral movement.