Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

Lateral Movement Explained

Lateral movement is a cyberattack technique used by threat actors to navigate a network or environment in search of more valuable information after gaining initial access.

Wiz Experts Team
5 minutes read

What is lateral movement in cybersecurity?

Lateral movement in cybersecurity refers to the techniques that cyber attackers use to move through a network in search of key data and assets after gaining initial access. It involves navigating from the initial point of entry to other systems within the same environment to expand the breach's scope and control additional resources.

This tactic is commonly used in advanced persistent threats (APTs) where the attacker aims to remain undetected while escalating their privileges and accessing critical information or systems.

Lateral movement can involve a variety of methods, including:

  1. Exploiting vulnerabilities: Taking advantage of security weaknesses on other systems within the network to gain unauthorized access.

  2. Using legitimate credentials: Stealing or otherwise obtaining credentials of authorized users to access systems without raising alarms.

  3. Pass-the-hash/token attacks: Using captured hash values of user passwords to authenticate to other services without needing the plain text password.

  4. Installing backdoors: Creating secret entry points into systems and networks for continued access.

Simple diagram of how lateral movement works

Common stages of lateral movement

Lateral movement isn't a one-and-done process. It typically involves three stages: reconnaissance, credential dumping or privilege escalation, and gaining access.

Reconnaissance 

This is the first step in a lateral movement attack, and it's where attackers get a feel for the network. During the reconnaissance stage, threat actors look around, identifying potential targets and vulnerabilities within the network hierarchies. Cybercriminals might employ a variety of tools and techniques during this phase. Network scanners, such as Nmap or Nessus, are commonly used to map out the network's topology, identify active hosts, and discover open ports and services on various operating systems. These tools can provide a wealth of information about the network, including what software is being used and where potential weak points might exist.

In addition to network scanning, attackers might also engage in social-engineering tactics, such as phishing, to gather valuable information. Cyberattackers may also use web crawlers or spiders to gather information from public websites and social media platforms.

The goal of the reconnaissance phase is to gather as much information as possible to plan the next steps of the attack.

Credential dumping/privilege escalation

Once they've got the lay of the land, attackers move on to the next stage: acquiring higher-level privileges. This is often done by stealing credentials or exploiting system vulnerabilities. For example, cybercriminals might use a phishing attack, sending a seemingly innocent email that tricks users into entering their credentials on a fake login page. Or they might exploit a known software vulnerability, like a buffer overflow, to gain elevated privileges.

Gaining access 

Now that they've got the access they need, attackers can get to the targeted systems or data. They might use their new privileges to get to sensitive data, for instance, by accessing a database using stolen credentials and running SQL queries to extract data. Or they might install malware, like a backdoor, that allows them to maintain a presence within the network and keep control of certain systems. At this stage, security teams need to be especially vigilant to detect any unusual activity such as unexpected remote connections during off-hours, unexplained data transfers, or repeated attempts to access resources that are not normally accessed by the compromised credentials.

By understanding the stages of lateral movement, we can better prepare defenses and respond more effectively when an attack occurs.

Lateral movement on-prem vs. cloud 

When we talk about lateral movement, it's crucial to understand that it can occur both in on-premises environments and in the cloud. However, the method of attack in these two environments can be quite different due to several factors:

FactorDescription
Identity access management (IAM)In on-premises environments, IAM is often managed through centralized systems like Active Directory. This makes lateral movement a bit more straightforward for attackers once they've compromised a system. They can use the same set of credentials to move around. IAM can be more complex in the cloud due to the variety of services and resources that need to be managed. Unfortunately, complexity can create more opportunities for lateral movement as attackers can exploit misconfigurations or weak policies to gain access to different resources.
Deployments and configurationsOn-premises environments often have a static configuration, which means that once attackers understand the network layout, they can plan their lateral movement strategy. On the other hand, cloud environments are dynamic and can change rapidly. The cloud’s dynamism can make lateral movement more challenging to detect as attackers can take advantage of the constantly changing environment to move around unnoticed.
Complex architectureCloud environments often have more complex architectures than on-premises environments. With services spread across different regions, availability zones, and VPCs, tracking lateral movement can be a challenge. In contrast, on-premises environments usually have a more straightforward architecture, making it easier to monitor for signs of lateral movement.

Lateral movement techniques in the cloud

Lateral movement in the cloud can take many forms, depending on the resources and services being used. Here are some common techniques:

Exploiting remote services  

Attackers often exploit remote services like Secure Shell (SSH) or Remote Desktop Protocol (RDP) to move laterally in the cloud. For example, if an attacker gains access to an EC2 instance in AWS, they could use SSH to connect to other instances in the same network. Once inside the VPC, they can also search for additional remote services that can be exploited.

Abusing valid accounts

Attackers can also move laterally in the cloud by abusing valid accounts. If an attacker compromises a user's credentials, they could use those credentials to access cloud services that the user has permissions for. 

Illustration of a publicly exposed VM with cleartext cloud keys associated with a user that has access to serverless functions, storage accounts, and KMS keys

Using worms

A kind of malware, worms are named for their ability to self-replicate and spread over a network. For example, in the cloud, a worm could move from one instance to another by exploiting vulnerabilities or weak security settings. 

VPC peering

VPC peering forms a network bridge between two virtual private clouds (VPCs). The advantage of VPC peering is that users can route traffic via private IP addresses, but attackers exploit this connection to move laterally from one VPC to another.

Illustration of how VPC peering may allow an attacker to move laterally and gain cross-VPC access

Exploiting IaaS/PaaS databases

IaaS and PaaS databases are often used to store private and confidential information. When a threat actor gains access to these databases, they can extract sensitive data or even modify the data to cause disruption.

Exploiting vulnerabilities and misconfigurations

When looking for valuable assets, cybercriminals tend to target the most accessible or vulnerable resources within compromised virtual private clouds (VPCs). The perfect targets are usually vulnerable workloads, such as internal VMs that are accessible over the network, have critical RCE vulnerabilities, and lack stringent security-group rules.

These are only some of the common methods that threat actors may use for lateral movement in the cloud. There are more techniques, including carrying out lateral movement attacks from the cloud to Kubernetes. Understanding these techniques can help businesses develop effective strategies to pre-empt lateral movement.

Approximately 58% of cloud environments have at least one publicly exposed workload with a cleartext long-term cloud key stored in it, whereas about 35% of cloud environments feature at least one publicly exposed workload with a cleartext private SSH key.

Wiz Research Team

Tips to mitigate lateral movement attacks

Preventing lateral movement attacks involves a combination of good security practices and the right tools. Here are some tips:

Implement strict firewalls

Firewalls serve as a barrier to prevent unauthorized individuals from gaining access to your network. Make sure to configure strict firewall rules to allow only necessary traffic.

Illustration of how strict security-group rules can block a vulnerable VM from lateral movement

Remove cleartext cloud and private keys

Cleartext keys are an organization’s weakest point and a goldmine for adversaries. Because the exposed keys are visible to anyone—internal or external—who gains access to the source code, these keys can be used to gain access to even more parts of the system. To reduce risk, remove any cleartext cloud and private keys from all systems and use secure methods for key storage and transmission.

Adopt a private link 

Private links can provide a secure connection between different parts of a network, reducing the risk of lateral movement.

Pro tip

All major CSPs offer a private link: AWS PrivateLink, GCP Private Service Connect, Azure Private Link.

Isolate each environment

Use network segmentation to isolate different parts of a network. This helps to constrict an attacker’s lateral movement abilities.

Illustration of how an isolated environment can prevent VPC-to-VPC lateral movement

Remediate critical vulnerabilities

It's important to routinely scan systems for vulnerabilities and patch them immediately to avoid security breaches. Unpatched vulnerabilities can provide an easy path for lateral movement.

Pro tip

The above are just a few mitigation techniques that prevent some common lateral movement scenarios. Other lateral movement scenarios, like jumping from K8 clusters to the cloud require more advanced mitigation techniques.

Learn more

How to prevent and detect lateral movement in your cloud environments

Because lateral movement attacks rely on stealth, they are by nature hard to spot. Nevertheless, the right strategies and the correct tools simplify the detection and prevention of lateral movement attacks .

Enter Wiz. Wiz is a cloud security solution that provides direct visibility into your cloud environment, prioritizes risks, and offers remediation guidance. It's designed to help development teams address risks in their own infrastructure and applications, allowing them to ship faster and more securely. Check out our demo to learn how Wiz can help you secure your cloud environments by identifying and putting a stop to lateral movement.

Trip up threat actors before they can move laterally

See for yourself why CISOs at the fastest growing companies choose Wiz to harden their cloud environment's internal defenses to stop lateral movement.

Get a demo

Lateral Movement FAQs

Continue reading

Cloud Investigation and Response Automation (CIRA)

Cloud investigation and response automation (CIRA) harnesses the power of advanced analytics, artificial intelligence (AI), and automation to provide organizations with real-time insights into potential security incidents within their cloud environments

What is Security by Design?

Wiz Experts Team

Security by design is a software development approach that aims to establish security as a pillar, not an afterthought, i.e., integrating security controls into software products right from the design phase.

Guide to Standard SBOM Formats

Wiz Experts Team

Two major formats dominate the SBOM ecosystem: Software Package Data Exchange (SPDX) and CycloneDX (CDX). Let’s review!