Lateral movement attacks: What they are and why you should care

A man sitting on a couch looks down at his phone and learns about lateral movement attacks.


Hard to detect and harder to contain, lateral movement attacks start with a single device, then spread infection across a network. Their potential to compromise any connected device makes them especially dangerous. Here’s what you need to know about them.

What do WannaCry, NotPetya, and SolarWinds have in common? Aside from sounding like cool band names, they’re among the most high-profile and impactful cyberattacks of recent years. The WannaCry attack, for example, hit at least 200,000 computers globally and racked up roughly $4 billion worth of damage.

More specifically, all three breaches are examples of a type of cybercrime called a “lateral movement” attack. Lateral movement refers to the process by which hackers, having gained initial access, spread to the rest of a network.

Imagine you live in a sprawling castle with dozens of rooms, and a group of burglars has broken in through a basement window. Spreading out, the burglars tiptoe from room to room in search of valuables, including the safe where you keep your precious family heirlooms. You’ve got your trusty guard dogs on the case, but even if they discover a single thief in one room, the others can still roam the property filling their sacks with loot.

Lateral movement attacks pose analogous challenges. As the attacker moves through the various “rooms” of a network—servers, switches, endpoints, and application access, for example—they may spread malware, grab sensitive data, exploit misconfigurations, or pursue other nefarious goals. But detecting and containing such attacks is hard because, even if a security team secures one system, an attacker or malware payload may have already moved on to another.

Targets big and small

Containing lateral attacks may smack of a game of whack-a-mole where you’re constantly watching for attacks to beat down, but there’s nothing fun about the impact.

In a high-profile lateral attack on Target in 2013, attackers first gained access using the credentials of a third-party HVAC vendor, then used lateral movement to navigate the retail giant’s network and access its gateway server. The thieves eventually reached and compromised the point-of-sale (POS) systems to steal data from some 40 million credit and debit cards of shoppers. The breach reportedly cost Target $202 million, not including more than $18 million to settle claims arising from the breach.

Small- and medium-sized businesses are also at risk, especially as attackers increasingly turn to automated bots and tools to carry out lateral movement techniques. Lateral movement attacks on a small business or home can start by simply infecting a desktop computer, home wifi router, or other device with malware. Once a virus gets inside the office or home network, it can spread to every device under the same roof. 

Types of lateral movement attack

A number of types of cyberattacks you’ve probably heard of use lateral movement techniques. Ransomware is a prime example. It’s a form of malware that can lock, encrypt, or even permanently delete a victim’s computer or data. The attacker can then extort payment from the owner to restore access.

Another example is cyber espionage attacks, where the cybercriminal stays hidden for an extended period to perform reconnaissance and eavesdrop on company activity.

Data exfiltration is another form of attack that often involves lateral movement. Often performed via social engineering, malware, or hacking, the goal is to steal confidential or sensitive information, including intellectual property or the identities of personnel. 

4 stages of lateral movement

Lateral movement attacks typically follow four basic stages:

  1. Infection. Returning to our burglars-in-the-castle analogy, this is when the bad guys force entry through the basement window. In digital terms, the attacker gains initial access to an endpoint then infects the system with malware. This is often done by exploiting human error, such as through a phishing attack, or someone clicking on a malicious link or attachment, or connecting an infected flash drive or other external storage device to the network.
  2. Reconnaissance. Again with our burglar analogy, this is like getting an idea of how the castle is laid out and where valuables may be stored—in other words, casing the joint. Once the system is compromised, the attacker focuses on observing, exploring, and mapping the network as well as its users and devices in an effort to determine how to reach their end goal.
  3. Credential dumping. Also known as stealing login credentials, this is how attacker begins moving laterally through the network. They can do this using software tools such as keyloggers as well as through social engineering and brute-force attacks.
  4. Gaining access. This is where the burglars find the safe and make off with the family heirlooms. In digital terms, the attacker locates and exfiltrates their target after compromising multiple hosts. The prize could be an organization’s most sensitive data (its “crown jewels”). In the Sony Pictures Hack of 2014, the thieves found and leaked confidential data including emails, employee information, and unreleased films. 

Preventing lateral movement attacks

One of the best ways to avoid a lateral movement attack is to stop the initial intrusion that opens the door—or castle basement window—to it. The fundamentals are a good place to start—keeping software updated, for example, as well as using multi-factor authentication (MFA), backing up critical data, learning how to spot phishing scams, and using strong passwords on as many of your devices as you can.

Also consider using a strong antivirus solution like Norton AntiVirus Plus. It can help protect you against hackers, viruses, malware, and ransomware so you can keep your devices and your digital life safe. And hopefully keep those burglars from getting their mitts on those family heirlooms.

Clare Stouffer
  • Clare Stouffer
  • Gen employee
Clare Stouffer, a Gen employee, is a writer and editor for the company’s blogs. She covers various topics in cybersecurity.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 

Contents

    Want more?

    Follow us for all the latest news, tips and updates.