The breach rarely lands where it matters — the attacker hops from a low-value foothold to the crown jewels.
The first machine an attacker compromises is almost never the prize. A phished laptop or an exposed web host is just a door. From there they harvest cached credentials, reuse trust, and pivot host to host across a flat internal network until they reach something that pays: a domain controller, a production database.
Lateral movement is that chain of internal hops. Each one is quiet — it looks like ordinary internal traffic, because it is ordinary internal traffic, just with stolen credentials. The defenses are structural: segment the network, give each host a unique admin password, scope service accounts tightly, require a second factor on internal services, and watch for hosts authenticating to machines they've never talked to.
The failure mode is a flat network: once an attacker owns one host, every other host is one hop away, and the same local-admin password unlocks all of them. There's no wall between the web tier and the database, so a foothold on the edge is a foothold on everything.
The fix is to deny east-west traffic by default and only allow the few flows that the business actually needs. Below is a zero-trust segmentation policy: the database accepts connections from the application segment alone, and even then only over MFA-backed, uniquely-identified service connections — never a flat "any internal host can reach any internal host."
# Zero-trust east-west policy — deny by default, allow only named flows.
default action = DENY # no host talks to another unless allowed
allow:
from: segment("app") # app tier only
to: segment("db") :5432 # reach the database on its one port
require:
- mtls(service_identity) # unique per-service cert, not a shared cred
- mfa(human_operators) # admins step up before any DB shell
deny (and alert):
from: segment("workstations") # laptops never reach prod directly
to: segment("db")
to: segment("domain") # and never reach the domain controller
| Signal | What lateral movement looks like |
|---|---|
| Host-to-host auth | Machines authenticating to peers they have never talked to |
| Local admin reuse | The same local-admin account logging in across many hosts |
| Odd-hour logons | New admin sessions at 3am, off the normal change window |
| Credential anomalies | Pass-the-hash and Kerberos ticket reuse that bypass a password prompt |
| Protocol fan-out | A sudden burst of SMB / RDP connections from one source to many targets |
A finance analyst opens a malicious attachment, giving the attacker a foothold on one workstation. That workstation has the same local-admin password as every other laptop in the building. The attacker dumps the credential hash and replays it with pass-the-hash — no password needed — and in a few hours has spread to roughly 200 hosts. From a file server they harvest a cached domain-admin token, hop to dc-01, and now own the directory. Reaching the domain controller is game over: every account, every machine, one keyholder.
Contrast the segmented estate. Workstations sit in their own segment that can't route to prod or the domain tier at all, and each host has a unique LAPS-managed admin password, so the dumped hash unlocks exactly one machine. The same phished laptop is still compromised — but it's a contained incident, not an enterprise one.
You've contained the initial foothold host, but the attacker had already pivoted twice before you caught it. What most limits further spread right now?
Coach note: once the attacker is inside and has already hopped, the leverage isn't at the door or on the first host — it's the wall that keeps the hosts they still hold away from the crown jewels.