To a threat actor, lateral movement means all the difference between compromising a single resource and potentially navigating throughout an organization to establish a persistent presence. Their goal is to remain undetected and ultimately conduct their nefarious mission even if some defenses manage to track their infiltration. While the hacker might succeed based on an opportunistic phishing attack or a targeted attack based on stolen credentials or an exploit, lateral movement is the means to find data of value, compromise additional assets, execute malware, and ultimately own accounts and identities to continue their attack. Lateral movement, by the most traditional definition, is the ability to pivot from one resource to another and to navigate among other resources in any environment. The key takeway for our conversation today, and why we need to talk about lateral movement, is not about assets however; it is about “resources” since they can be so much more than just computers and applications.

Resources engaged in lateral movement can be any one of the following and, most importantly, any combination of them too. This is documented in Table 2-1 along with the most common privileged and asset attack vectors.

While the techniques for lateral movement vary greatly between these resources including privileged and asset attack vectors , the objective is the same – to laterally move between resources that are similar or share underlying services. That is, you can laterally move from an operating system to an application and then compromise additional accounts using any combination of the attack vectors (and there are definitely more) referenced in the preceding text. This raises the obvious question, how to protect against lateral movement when it can occur in so many different ways and between so many different things?

First, consider the underlying faults that allow lateral movement to occur. They occur due to privileged attacks or asset attacks and ultimately can own an identity. The latter is typically accomplished through vulnerability, patch, and configuration management. These are traditional cybersecurity best practices that every organization should be doing well, but in reality, as we all know, very few have them working like well-oiled machines. The conversation we need to have with our teams is that lateral movement, due to poor basic cybersecurity hygiene, is the primary attack vector for modern threats like ransomware, bots, worms, and other malware. Contemporary concepts like zero trust and just-in-time identity and privileged access management cannot mitigate the threats from asset attack vectors . A successful attack is based on software flaws and not credentials used for the interaction of resources. Therefore, for lateral movement based on asset attacks, we need to ensure the basics are being done well week after week, month after month, and year over year to ensure we do not expose cracks in our security posture that could lead to a vulnerability and exploit combination.

The second method of lateral movement is based on privileged attack vectors . This typically includes some form of privileged remote access and, in today’s world, is the easiest attack vector for a threat actor to own a resource and conduct lateral movement. These techniques include:

This is where the concepts of zero trust and just-in-time privileged access management actually do help in mitigating threats.

The mitigation from either of these is relatively straightforward. Ensure that authorization or authentication is not allowed between resources unless a third-party trust and approval has been granted and access control between resources is modified using ephemeral properties guaranteeing that any potential trust that allows lateral movement is not persistent. Remember lateral movement can happen in between resources and it is that inappropriate trust between them that should be prevented in order to mitigate the threats of lateral movement. This almost always occurs between resources, at any layer, when poor credential, identity, and password management disciplines are attack vectors. This is why Identity Governance is so important to manage this risk.

To that end, lateral movement is much more than moving from asset to asset inappropriately by a threat actor. In reality, it is lateral movement between any resource using either privileged or asset attack vectors . And, if multiple accounts are compromised for the same identity, then the attack vector can truly evolve into an identity attack vector in which everything a person owns, is responsible for, or has privileged or unprivileged access to becomes a form of lateral movement based on the account/identity relationship. This is important in our conversation about lateral movement because the resource is not always electronic. It can be abstract like an identity, bot, or software in the form of a container or DevOps. Regardless, the movement from a threat actor is a pivot and critical to their malicious intent.