Glossary · Security testing

What is Lateral Movement?

Also known as: East-west movement, Pivoting

Lateral movement is the set of techniques an attacker uses to move from an initially compromised system to other systems inside a network, hunting for the credentials, data, or privileges needed to reach a final objective. It is constrained by network segmentation, least privilege, and zero-trust controls.

Key takeaways

  • Lateral movement happens after initial access, as attackers pivot deeper toward high-value targets.
  • It typically chains stolen credentials, privilege escalation, and trusted internal protocols.
  • Segmentation, least privilege, and continuous verification are the primary defenses.
  • Breach and attack simulation reveals which lateral paths are actually exploitable in your environment.

What does lateral movement look like in practice?

After gaining a foothold on one machine, an attacker rarely sits still. They enumerate the network, harvest credentials from memory or configuration files, and reuse those credentials to authenticate to additional hosts. Because this traffic moves sideways between internal systems rather than in from the perimeter, it is often called east-west movement and frequently blends in with legitimate administrative activity.

Common techniques are catalogued in frameworks such as MITRE ATT&CK, which documents tactics like remote services, pass-the-hash, and exploitation of remote desktop or management protocols. Lateral movement is closely tied to privilege escalation, since broader access usually unlocks more systems to pivot through.

Why is lateral movement so dangerous?

A single compromised laptop is a nuisance; a single compromised laptop that leads to domain administrator access is a breach. Lateral movement is the bridge between those two outcomes. It turns a minor incident into a major one by letting attackers reach databases, backup systems, and identity infrastructure that were never directly exposed to the internet.

Defenders often discover too late that flat, highly trusted internal networks let an intruder roam freely once inside. Detecting this movement is hard because the attacker uses valid credentials and standard protocols, so behavioral monitoring and strong identity controls matter as much as prevention.

How do you defend against and test for it?

  • Segment networks so that compromise of one zone does not grant reach into others.
  • Apply least privilege so stolen credentials unlock as little as possible.
  • Adopt zero-trust verification so every internal connection is authenticated, not assumed.
  • Monitor for anomalous authentication patterns and unusual host-to-host traffic.
  • Rotate and protect credentials, and disable unnecessary remote-management services.

Knowing your controls exist is not the same as knowing they work. Breach and attack simulation safely emulates an attacker pivoting through your environment, mapping the real attack paths and showing which lateral routes your segmentation and identity controls actually block.

Frequently asked questions

How is lateral movement different from initial access?
Initial access is how an attacker first gets a foothold, such as phishing or exploiting an internet-facing service. Lateral movement is what happens afterward, as the attacker spreads from that first system to others inside the network.
Can zero trust stop lateral movement entirely?
Zero trust does not make movement impossible, but it dramatically shrinks the opportunity. By verifying identity and authorization for every connection and removing implicit network trust, it forces attackers to defeat controls at each hop rather than roaming freely.
Why is lateral movement hard to detect?
Attackers typically use valid stolen credentials and legitimate protocols like remote desktop or administrative tooling, so their activity resembles normal operations. Detection relies on spotting anomalous behavior rather than obviously malicious signatures.

Authoritative sources

← Back to the glossary