Skip to content

How to Block Lateral Movement in Cyber Attacks

Once hackers gain a foothold in an enterprise, their next move is often to push deeper into IT systems. Here’s how to stop them.


When attackers gain control of an endpoint, the celebration doesn’t last long. As in a game of chess, hackers position themselves for their next move—compromising other endpoints they can use to burrow deeper into a company’s systems and access the people and data they ultimately seek.

After international shipping and logistics provider Maersk suffered a single compromised endpoint in 2017, attackers were able to eventually compromise every endpoint in the company. The cybercriminals then used a ransomware attack to render most of the endpoints at Maersk inaccessible. It cost Maersk some $300 million, two weeks of disrupted operations, and forced it to reinstall 4,000 servers.

That seems minor when compared to the recent SolarWinds hack, which continues to wreak havoc on American businesses and government. The so-called software “supply chain” attack relied on tens of thousands of organizations updating the same third-party software to run IT management.

Hackers, believed to be Russian intelligence, targeted SolarWinds and used malware to steal and forge digital credentials that enabled them and other cybercriminals to hopscotch from endpoint to endpoint and gain access to an estimated 18,000 entities that download the infected software.

With the right credentials, attackers can get themselves anywhere they want to go.

Ben Rothke, senior information security manager at advertising and content delivery provider Tapad

The victims include the biggest players in the tech industry, the healthcare field, and the federal government. The estimated cost to both American businesses and the government: $100 billion. With the stakes this high, identifying and blocking this type of “lateral movement” in a breached network remains essential in defending any enterprise.

“Attackers will always seek credentials, because with the right credentials, they can get themselves anywhere they want to go,” says Ben Rothke, senior information security manager at advertising and content delivery provider Tapad. 

To do this, hackers typically capture user access credentials through keystroke logging or other specialized tools. “Imagine being able to forge an airline ticket that will take you anywhere you want to go,” says Rothke. “That’s what attackers do with credentials, only they are gaining access to networks, applications, or perhaps the cloud console used by an administrator.”

[Read also: How Tanium helps guard against lateral movement in cyber attacks]

Credentials aren’t the only things attackers seek. They use tools to navigate to other servers on the same network and to endpoints. Any endpoint running outdated software is a prime target, as well. Fortunately, there are several things you can do to prevent lateral movement or identify it and stop it when it happens.

Raise the cost of success

The key to protecting your IT environment is to make it as difficult as possible for an attacker to move laterally, says Chris Blow, director of offensive security at Liberty Mutual, a Fortune 100 company. His team regularly runs simulations on endpoints to see if lateral movement is possible. “We are always focused on making sure our endpoints are protected,” says Blow.

The best defense involves changing the economics of an attack, says Fernando Montenegro, a principal analyst on the enterprise security team at 451 Research, a part of S&P Global Market Intelligence. “The point is to raise the cost of success for the attacker,” he says. “You want to engineer defenses that will make the life of an attacker very hard.”

To do that, security experts offer the following:

Practice good endpoint hygiene. Effective practices start with the essentials, including solid management of assets, configurations, and patches. “Good hygiene alone won’t stop determined adversaries, but it will make their job a lot more difficult,” says Montenegro.

Manage identities. It’s essential to know who has the credentials to access specific applications and networked resources. The principle of “least privilege” reduces the attack surface, giving users access only to the resources they absolutely need to do their jobs. Limiting the number of administrator accounts is also critical. “Your identity is the new firewall, and you have to manage identities effectively, especially privileged accounts,” Blow says.

Your identity is the new firewall.

Chris Blow, director of offensive security at Liberty Mutual

Implement strong authentication. Authentication ensures that only the right people can access the right applications. “While not foolproof, requiring multifactor authentication can be effective in slowing lateral movement,” Rothke says. Should a hacker gain a credential from a phishing attack, a user session, or a memory dump (when memory is backed up during an application crash), strong authentication techniques can make it more difficult for cybercriminals to use credentials to move laterally to other resources on the network. 

Segment network traffic. To tighten security further, divide networks into distinct zones. For instance, all office equipment and associated devices can be placed on one network, and certain classes of users may be divided into their own network segments. Applying appropriate security to each zone can significantly limit how much an attacker can move around laterally, says Rothke.

Develop a zero-trust architecture. With strong identity controls, authentication techniques, and network segmentation, an organization is already well on its way toward building a zero-trust architecture. “A good zero-trust architecture is going to go a long way toward stopping attackers from moving around,” says Blow. “The problem is that most companies don’t have zero trust locked down as well as they should.”

[Read also: Google’s Anton Chuvakin on the need to re-think network security]

Detect anomalies. Attackers will do whatever they can to avoid detection. With fake credentials, they can appear to be legitimate users. Security leaders can learn to spot unusual activity throughout networks and applications, but that’s a lot more challenging to achieve than it sounds. “It’s so difficult because attackers will do everything they can to successfully blend in,” says Rothke. 

Adopt endpoint detection and response. When companies spot any indication of compromised endpoints, all pertinent data should be collected and sent to security teams for analysis and response. Clamping down on attacks as they are underway can limit data breaches and system damage and stop lateral movement in its tracks. “Within the past two years, endpoint detection and response has become a lot more effective than it was in the past,” says Blow. “Organizations that have effective systems in place will make the work of attackers very hard, and ultimately that’s what these layers of defense are all about.”

With these practices in place, an organization can ensure the enterprise remains inhospitable to hackers looking for weak links they can exploit to leapfrog across company systems. 


George V. Hulme

George V. Hulme is an information security and business technology writer. He is a former senior editor at InformationWeek magazine, where he covered the IT security and homeland security beats. His work has appeared in CSO Online, Computerworld and Network Computing.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.