Lateral movement

The breach rarely lands where it matters — the attacker hops from a low-value foothold to the crown jewels.

The idea

The first machine an attacker compromises is almost never the prize. A phished laptop or an exposed web host is just a door. From there they harvest cached credentials, reuse trust, and pivot host to host across a flat internal network until they reach something that pays: a domain controller, a production database.

Lateral movement is that chain of internal hops. Each one is quiet — it looks like ordinary internal traffic, because it is ordinary internal traffic, just with stolen credentials. The defenses are structural: segment the network, give each host a unique admin password, scope service accounts tightly, require a second factor on internal services, and watch for hosts authenticating to machines they've never talked to.

Press play to watch an attacker pivot from one foothold across the network.

How it works

The failure mode is a flat network: once an attacker owns one host, every other host is one hop away, and the same local-admin password unlocks all of them. There's no wall between the web tier and the database, so a foothold on the edge is a foothold on everything.

The fix is to deny east-west traffic by default and only allow the few flows that the business actually needs. Below is a zero-trust segmentation policy: the database accepts connections from the application segment alone, and even then only over MFA-backed, uniquely-identified service connections — never a flat "any internal host can reach any internal host."

# Zero-trust east-west policy — deny by default, allow only named flows.
default action = DENY            # no host talks to another unless allowed

allow:
  from: segment("app")          # app tier only
  to:   segment("db") :5432     # reach the database on its one port
  require:
    - mtls(service_identity)     # unique per-service cert, not a shared cred
    - mfa(human_operators)       # admins step up before any DB shell

deny (and alert):
  from: segment("workstations")  # laptops never reach prod directly
  to:   segment("db")
  to:   segment("domain")        # and never reach the domain controller

Signals

SignalWhat lateral movement looks like
Host-to-host authMachines authenticating to peers they have never talked to
Local admin reuseThe same local-admin account logging in across many hosts
Odd-hour logonsNew admin sessions at 3am, off the normal change window
Credential anomaliesPass-the-hash and Kerberos ticket reuse that bypass a password prompt
Protocol fan-outA sudden burst of SMB / RDP connections from one source to many targets

Watch out for

Worked example

A finance analyst opens a malicious attachment, giving the attacker a foothold on one workstation. That workstation has the same local-admin password as every other laptop in the building. The attacker dumps the credential hash and replays it with pass-the-hash — no password needed — and in a few hours has spread to roughly 200 hosts. From a file server they harvest a cached domain-admin token, hop to dc-01, and now own the directory. Reaching the domain controller is game over: every account, every machine, one keyholder.

Contrast the segmented estate. Workstations sit in their own segment that can't route to prod or the domain tier at all, and each host has a unique LAPS-managed admin password, so the dumped hash unlocks exactly one machine. The same phished laptop is still compromised — but it's a contained incident, not an enterprise one.

Check yourself

You've contained the initial foothold host, but the attacker had already pivoted twice before you caught it. What most limits further spread right now?

Coach note: once the attacker is inside and has already hopped, the leverage isn't at the door or on the first host — it's the wall that keeps the hosts they still hold away from the crown jewels.