Home / Definitions / Lateral Movement

Lateral Movement

Jenna Phipps
Last Updated May 24, 2021 8:02 am

Lateral movement, or lateral traffic, is a network attacker’s progression through the network once they have breached it. Lateral movement is also known as east-west traffic, indicating horizontal progression through an already-breached network, and contrasts with north-south traffic, or first entering the network. Lateral movement is challenging for organizations to track because once an attacker has entered a network, their traffic appears normal. It’s hard to distinguish between an attacker and authorized users because they’ve already gained access.

Reasons for lateral movement

Attackers can gain initial access to a network using:

  • Employee devices, particularly in the Internet of Things. IoT devices have fewer security protocols than smartphones and computers. If an attacker accesses an IoT device that connects to the company network, they may then be able to thread their way into the network.
  • Company email. Social engineering heavily relies on fraudulent emails, which might ask an employee for their credentials or include malware. Once the attacker has that information, they can proceed into the network as a trusted user.
  • Malicious software installed on a company computer: if an attacker convinces an employee to click a link, malware could install on that computer and then give the attacker a pathway into the network.

Traditional network security doesn’t handle lateral movement well because it doesn’t have good methods of protecting the inside of the private network. Everyone who is allowed through the firewall at the perimeter can then meander through the network at their leisure. This also makes it harder for organizations to find a threat once it’s inside, especially if the attacker has stolen an employee’s credentials. Sorting through all of the data both manually and efficiently is impossible for most IT teams.

Combatting lateral movement with XDR

In traditional network security solutions, separate software and systems are not centralized: they’re siloed. It’s more difficult for a business to manage its network security when multiple applications are analyzing data. A centralized threat detection and response solution that can analyze all the data and notice patterns is a better way to monitor a network.

Extended detection and response (XDR) is one of the best choices for large organizations because it removes the silos between security solutions. XDR monitors all the data from applications and servers. An XDR solution includes automation, which saves IT and engineering teams time.

Some XDR solutions implement machine learning, which studies patterns in data and eventually learns to notice anomalies and prioritize alerts to technology teams, similar to user and entity behavior analytics (UEBA). If trained sufficiently, machines can interpret words and also their context to better understand a situation. If a certain computer, account, or server behaves unusually, a good network detection and response solution will notice that and take proactive measures to find the cause. XDR does not just detect threats but also tracks them and addresses them quickly.

Zero trust and microsegmentation are other technologies designed to limit access in event of a breach or stolen credentials.