Attivo Networks Blogs

Expert says CISOs need to take lateral movement seriously

intelligent CISO

CISOs are faced with the challenge of their enterprise-level environments being vulnerable to lateral movement in their networks. Carolyn Crandall, Chief Security Advocate and CMO at Attivo Networks, says most CISOs are familiar with the role lateral movement plays in attacks, but organisations need to back up this knowledge with action.

A thief breaking into your home can be a minor experience, or a devastating one. It’s one thing when the criminal leaves after grabbing the first item they see, but it’s a whole different story when they have time to map out where your valuables are and plan the best ways to steal them. Worse yet is when the thief secures the ability to return repeatedly and steal from you again and again. All of this can occur even with doors and windows locked and perimeter security systems installed.

A similar scenario often crops up in cybersecurity. When attackers gain access to an organisation’s network, they look for opportunities to move laterally through the environment and escalate their privileges. They use this information to gain control of resources, change permissions and security settings for greater access, and cover their tracks. This activity can be extremely tricky to detect as these attackers will impersonate real users and appear like regular activities.

Most CISOs are familiar with the role lateral movement plays in attacks, but organisations are not backing up this knowledge with action. Most still rely heavily on perimeter defences, behavioural anomaly detection and log management, which provide limited visibility and unmanageable alert volumes. Today’s advanced threats actively leverage lateral movement, which has become an Achilles heel for many organisations. As this issue becomes more severe, CISOs are increasingly beginning to take note.

Thinking laterally

The authors of last year’s Mandiant Security Effectiveness report found that 54% of the ‘techniques and tactics used to execute testing of lateral movement were missed’. They also found that 96% of lateral movement behaviours did not have a corresponding alert in the SIEM, meaning that defenders were left blind in the face of an attack. These stats are concerning, especially since there are solutions to prevent lateral movement.

From the endpoint, lateral movement defences can stop a threat actor at an earlier stage of the attack cycle and reduce the risk of a more significant breach. One approach relies on ‘micro-segmentation’, which divides a network into smaller pieces to slow or stop attacker progress. Others work on an intelligence basis by identifying signs of attack. Intruders often give away their intentions, offering a further opportunity to stop them as they carry out reconnaissance or test the network for vulnerabilities. 

Defenders may also use deception and concealment technology to trick threat actors into giving away their presence or tactics. They can place fake Active Directory (AD) credentials or other bait on the network or within endpoints that look like real production assets and serve as tempting targets for attackers. In reality, they are bait or breadcrumbs that lead to traps that reveal the attacker’s presence and allow security teams to banish them from the environment. Innovations in concealment technology can hide real data and AD objects, preventing attackers from finding or accessing the targets they seek.

Once defenders identify an attack, they should seek to impede attackers from gathering intelligence on targets such as credentials, live hosts, open services and AD accounts. Defenders can also look for vulnerabilities, exposures and misconfigurations that create attack paths and remediate them so attackers can’t easily achieve lateral movement and privilege escalation. Those seeking an Active Defence can also use the attacker’s force against them by intercepting their queries for data and redirecting them into decoys as they attempt to move laterally.

The lessons of lateral movement

Unfortunately, many enterprise-level production environments remain vulnerable to lateral movement, which poses a challenge to CISOs. When they’re assessing their enterprise security solution stack, CISOs should make sure they can efficiently detect activities like discovery, privilege escalation and lateral movement. Otherwise, they’re leaving their organisation vulnerable to longer attacker dwell time, subsequently amplifying the magnitude of the compromise.

It’s incumbent upon security staff to protect their employers by responding quickly to the latest threats and disrupting a threat actor’s attack paths. It also isn’t enough to simply install lateral movement detection systems. Ideally, governments and regulators should put pressure on organisations to establish lateral movement and credential identity entitlement protections and better threat intelligence sharing. These defences are increasingly necessary and should be a de facto part of security architecture. 

Read the full article by Alix Pressley on Intelligent CISO.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

11 − eight =

Ready to find out what’s lurking in your network?

Scroll to Top