Attivo Networks Blogs

Understanding Lateral Movement and How to Detect It

Hacker Noon Website Logo

By Carolyn Crandall, chief security advocate, Attivo Networks

Lateral movement broadly applies to an attacker’s activity within the network after penetrating perimeter defenses, using various tactics, techniques, and procedures (TTPs). Today’s organizations must understand those TTPs and ensure that their controls are effective across on-premises, remote, and cloud attack surfaces. The MITRE ATT&CK framework plays a beneficial role in organizing techniques and tactics, providing organizations with a guide to identify security gaps and controls they can use to cover them.

It is important to think about the role played by both endpoint protection and identity protection and how these security tools work together. Active Directory (AD) is usually co-owned by multiple departments, and organizational complexity can often leave this highly vulnerable and critical application inadequately protected. Incorporating AD into a lateral movement program should be a priority—after all, if attackers can compromise AD, it is effectively game over.

The first stage of lateral movement is reconnaissance. As its name implies, this is the stage where attackers explore the areas of the network they have access to, identify vulnerabilities, and look for critical assets. This activity helps attackers understand organizational data like host naming conventions and network hierarchies and helps them locate valuable information and systems. Attackers often use tools like Netstat and PowerShell to get the lay of the land within the network and learn about its defenses. These tools can be complicated for defenders to detect and often help with activities like port scanning. Effective reconnaissance helps attackers plan their movements better.

The next stage involves credential misuse. Valid credentials are like gold to attackers. The 2021 Verizon Data Breach Investigations Report (DBIR) found that 61% of all breaches now involve credential data such as stolen or leaked credentials. Social engineering tactics like phishing and business email compromise (BEC) attacks are typical tactics attackers use to covertly obtain valid credentials, though they are far from the only methods. Using valid credentials is a great way for attackers to move within the network without setting off any alarms.

Next comes privilege escalation. Attackers want to exploit AD to help with network discovery and to gain privileges that allow them to change security controls and remain hidden. Ultimately, attackers want to escalate their privileges to administrator status, which usually means compromising AD. If the attacker can compromise AD, they essentially have the keys to the castle, and it is tough to remove them from the network.

Suppose an attacker has been able to conduct reconnaissance, gain access to credentials, and escalate their privileges. In that case, they will likely repeat the process across various hosts until they find what they are looking for—user data, financial information, intellectual property, or other assets. Without robust in-network security, attackers can search for valuable data indefinitely. Putting a stop to this behavior is possible—and becomes more manageable when organizations use technique-based detection rather than relying solely on matching patterns or identifying signatures.

Read the full article at Hacker Noon.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

5 × 1 =

Ready to find out what’s lurking in your network?

Scroll to Top