How to detect and prevent lateral movement in your network

Article by Tim Tran, Keeper Security

To detect lateral movement, organisations need to identify abnormal network activity, map lateral movement paths, analyse user behaviour and verify unknown devices. If left unnoticed, lateral movement can often lead to data breaches and the loss of highly sensitive data. Organisations can prevent lateral movement within their network by enforcing least privilege access, implementing zero trust, segmenting networks and investing in a PAM solution.

What Is Lateral Movement and How Does It Work?

Lateral movement is a technique cybercriminals use to move deeper within a network after gaining initial access. Cybercriminals use lateral movement to infect multiple devices and accounts, maintain ongoing access throughout the network and gain increased privileges to access sensitive data. They rely on an organisation having poor Privileged Access Management (PAM) in which privileges are improperly tracked or assigned.


Cybercriminals will first gain access by stealing login credentials or exploiting security vulnerabilities. Once cybercriminals have gained access to an organisation’s network undetected, they try to escalate their privileges by infecting other devices within the network, stealing login credentials of privileged users and bypassing authorisation with privileged accounts. Cybercriminals move laterally across the network until they gain administrative-level privileges to control the entire network and gain access to valuable assets.


How To Detect Lateral Movement

Cybercriminals try to remain hidden when accessing and moving laterally across a network. However, organisations can detect lateral movement by using real-time monitoring of user and network behaviour. Here are the ways organisations can implement real-time monitoring to detect lateral movement within their network.


Identify abnormal network activity

The main way cybercriminals try to remain undetected is by turning off security settings and antivirus software. To identify lateral movement, organisations should look for abnormal network activity such as changing security settings, connections to external ports, usage of abnormal protocols and unusual traffic activity on the network. If an organisation notices any of these abnormal network activities, a cybercriminal has most likely compromised a privileged account with administrative privileges.


Map lateral movement paths

Organisations need to map out lateral movement paths to easily identify if any lateral movement is present in their network and understand if privileged accounts have been compromised. They need to look at their data infrastructure and list out potentially targeted accounts such as accounts with privileged access, poor authentication and mismanaged privileges. Organisations should also look for other vulnerabilities that could lead to lateral movement.


Analyse user behaviour

Organisations should analyse user behaviour to detect lateral movement. They need to look out for any abnormal user behaviour such as:


  • Multiple login attempts of privileged accounts
  • Abnormal login times, locations and devices
  • Unauthorised access to highly sensitive data
  • Unauthorised file-sharing


Verify unknown devices

Some organisations require their employees to use their own devices to do their jobs. This can result in many unknown devices connecting to an organisation’s network of systems and resources. However, organisations should not implicitly trust every device that connects to their network. They need to verify every unknown device that connects to their network to ensure that none of the devices are used by a cybercriminal. They should verify the owner of the device and monitor its activity to confirm it is from an employee, not a cybercriminal.


6 Ways To Prevent Lateral Movement


Although organisations can detect lateral movement within their network, it can be difficult to remove unauthorised users depending on how many devices have been taken over by cybercriminals. Organisations need to prevent cybercriminals from gaining access to their network and moving laterally through it. Here are six ways organisations can prevent lateral movement.


Enforce least privilege access

The principle of least privilege is a cybersecurity concept that gives users just enough network access to the information and systems they need to do their jobs, and no more. By implementing least privilege access, organisations limit access to sensitive data and protect it from misuse. Least privilege access reduces the potential pathways for a security breach and prevents lateral movement. If a user’s account is compromised, the cybercriminal is  limited to the privileges of that user and cannot gain further access to the organisation’s network


Implement zero trust

Zero trust is a security framework that requires all users and devices to continuously verify their identity and restricts their access to network systems and data. It eliminates implicit trust and assumes every device has been compromised. Zero trust is based on three principles:


Assume breach: Zero trust assumes every user trying to get into an organisation’s network – human or machine – could be compromised and lead to a security breach.

Explicitly verify: Under zero trust, all humans and machines must prove who they say they are before they can access an organisation’s network and systems.


Ensure least privilege: When a user is granted access to an organisation’s network, they are only given enough access to do their jobs, no more and no less.


By following a zero-trust framework, organisations can reduce their attack surface and prevent cybercriminals from gaining initial access to their network. Zero trust also makes it harder for cybercriminals to move laterally without being detected.


Require MFA

Multi-Factor Authentication (MFA) is a security protocol that requires more than one authentication factor to access an organisation’s network. An authentication factor can be something a user knows, something they have or something they are. When MFA is enabled, users typically provide their login credentials along with an additional form of identification such as a one-time code.


Organisations should require MFA for privileged account access to provide an additional level of security and ensure that only authorised users are allowed to access these sensitive accounts. Requiring MFA protects organisations from lateral movement since cybercriminals can’t provide the additional authentication needed to access privileged accounts.


Segment networks

Network segmentation divides and isolates parts of the network to control who has access to sensitive information. These segments are tailored to the needs of the different users and can only communicate with each other for business functions. Segmenting networks limits access to the entire network and prevents cybercriminals from moving across the network. Organisations can also create micro-segmentations which are isolated parts of the network within a segmented network.


Keep software up-to-date

Cybercriminals will try to gain initial access to an organisation by exploiting security vulnerabilities found within the organisation’s security infrastructure. Often, they look for vulnerabilities found in outdated software. Organisations should keep their software up to date to patch security flaws and add security features that better protect their devices. This will reduce the opportunity for lateral movement.


Invest in a PAM solution

A PAM solution is a tool that manages and secures accounts with permission to access highly sensitive data and systems. With a PAM solution, organisations have full visibility into their entire data infrastructure and can control how much access each user has to sensitive data. A PAM solution can also give organisations insight into an employee’s password practices. Organisations can ensure employees are using strong passwords to protect their accounts and only share passwords with authorized users.


Lateral movement can be difficult to deal with if an organisation has poor privileged access management. If left unattended, cybercriminals can gain privileged access to highly sensitive data and steal an organisation’s most valuable assets. To prevent lateral movement, organisations need to invest in a PAM solution to implement least privilege access and zero trust security.


With a PAM solution, organisations can manage their privileged accounts, monitor who is accessing sensitive data and implement security measures to protect sensitive data.


Find out more: