Wiz Acquires Gem Security to Reinvent Threat Detection in the Cloud
Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

Lateral Movement Explained

Lateral movement is a cyberattack technique used by threat actors to navigate a network or environment in search of more valuable information after gaining initial access.

Wiz Experts Team
5 min read

What is lateral movement in cybersecurity?

Lateral movement is an attack technique used by threat actors to navigate a network in search of increasingly valuable information after gaining initial access. They may seem like just another user, but in reality cyberattackers are exploiting the interconnectedness of modern networks, probing for valuable assets.

These assets can range from sensitive customer data to proprietary intellectual property. The ultimate objective of lateral movement is to silently locate and exfiltrate this valuable information, making it a highly effective and commonly used method of attack. Lateral movement also serves as a persistence technique, meaning attackers can access the breached network over extended periods— making it challenging for security teams to detect and mitigate.

Simple diagram of how lateral movement works

Common stages of lateral movement

Lateral movement isn't a one-and-done process. It typically involves three stages: reconnaissance, credential dumping or privilege escalation, and gaining access.

Reconnaissance 

This is the first step in a lateral movement attack, and it’s where attackers get a feel for the network. During the reconnaissance stage, threat actors look around, identifying potential targets and vulnerabilities. Cybercriminals might employ a variety of tools and techniques during this phase. Network scanners, such as Nmap or Nessus, are commonly used to map out the network's topology, identify active hosts, and discover open ports and services. These tools can provide a wealth of information about the network, including what software is being used and where potential weak points might exist.

In addition to network scanning, attackers might also engage in social-engineering tactics, such as phishing, to gather valuable information. Cyberattackers may also use web crawlers or spiders to gather information from public websites and social media platforms.

The goal of the reconnaissance phase is to gather as much information as possible to plan the next steps of the attack.

Credential dumping/privilege escalation

Once they've got the lay of the land, attackers move on to the next stage: acquiring higher-level privileges. This is often done by stealing credentials or exploiting system vulnerabilities. For example, cybercriminals might use a phishing attack, sending a seemingly innocent email that tricks users into entering their credentials on a fake login page. Or they might exploit a known software vulnerability, like a buffer overflow, to gain elevated privileges.

Gaining access 

Now that they've got the access they need, attackers can get to the targeted systems or data. They might use their new privileges to get to sensitive data, for instance, by accessing a database using stolen credentials and running SQL queries to extract data. Or they might install malware, like a backdoor, that allows them to maintain a presence within the network and keep control of certain systems.

By understanding the stages of lateral movement, we can better prepare defenses and respond more effectively when an attack occurs.

Lateral movement on-prem vs. cloud 

When we talk about lateral movement, it's crucial to understand that it can occur both in on-premises environments and in the cloud. However, the method of attack in these two environments can be quite different due to several factors:

FactorDescription
Identity access management (IAM)In on-premises environments, IAM is often managed through centralized systems like Active Directory. This makes lateral movement a bit more straightforward for attackers once they've compromised a system. They can use the same set of credentials to move around. IAM can be more complex in the cloud due to the variety of services and resources that need to be managed. Unfortunately, complexity can create more opportunities for lateral movement as attackers can exploit misconfigurations or weak policies to gain access to different resources.
Deployments and configurationsOn-premises environments often have a static configuration, which means that once attackers understand the network layout, they can plan their lateral movement strategy. On the other hand, cloud environments are dynamic and can change rapidly. The cloud’s dynamism can make lateral movement more challenging to detect as attackers can take advantage of the constantly changing environment to move around unnoticed.
Complex architectureCloud environments often have more complex architectures than on-premises environments. With services spread across different regions, availability zones, and VPCs, tracking lateral movement can be a challenge. In contrast, on-premises environments usually have a more straightforward architecture, making it easier to monitor for signs of lateral movement.

Lateral movement techniques in the cloud

Lateral movement in the cloud can take many forms, depending on the resources and services being used. Here are some common techniques:

Exploiting remote services  

Attackers often exploit remote services like Secure Shell (SSH) or Remote Desktop Protocol (RDP) to move laterally in the cloud. For example, if an attacker gains access to an EC2 instance in AWS, they could use SSH to connect to other instances in the same network. Once inside the VPC, they can also search for additional remote services that can be exploited.

Abusing valid accounts

Attackers can also move laterally in the cloud by abusing valid accounts. If an attacker compromises a user's credentials, they could use those credentials to access cloud services that the user has permissions for. 

Illustration of a publicly exposed VM with cleartext cloud keys associated with a user that has access to serverless functions, storage accounts, and KMS keys

Using worms

A kind of malware, worms are named for their ability to self-replicate and spread over a network. For example, in the cloud, a worm could move from one instance to another by exploiting vulnerabilities or weak security settings. 

VPC peering

VPC peering forms a network bridge between two virtual private clouds (VPCs). The advantage of VPC peering is that users can route traffic via private IP addresses, but attackers exploit this connection to move laterally from one VPC to another.

Illustration of how VPC peering may allow an attacker to move laterally and gain cross-VPC access

Exploiting IaaS/PaaS databases

IaaS and PaaS databases are often used to store private and confidential information. When a threat actor gains access to these databases, they can extract sensitive data or even modify the data to cause disruption.

Exploiting vulnerabilities and misconfigurations

When looking for valuable assets, cybercriminals tend to target the most accessible or vulnerable resources within compromised virtual private clouds (VPCs). The perfect targets are usually vulnerable workloads, such as internal VMs that are accessible over the network, have critical RCE vulnerabilities, and lack stringent security-group rules.

These are only some of the common methods that threat actors may use for lateral movement in the cloud. There are more techniques, including carrying out lateral movement attacks from the cloud to Kubernetes. Understanding these techniques can help businesses develop effective strategies to pre-empt lateral movement.

Approximately 58% of cloud environments have at least one publicly exposed workload with a cleartext long-term cloud key stored in it, whereas about 35% of cloud environments feature at least one publicly exposed workload with a cleartext private SSH key.

Wiz Research Team

Tips to mitigate lateral movement attacks

Preventing lateral movement attacks involves a combination of good security practices and the right tools. Here are some tips:

Implement strict firewalls

Firewalls serve as a barrier to prevent unauthorized individuals from gaining access to your network. Make sure to configure strict firewall rules to allow only necessary traffic.

Illustration of how strict security-group rules can block a vulnerable VM from lateral movement

Remove cleartext cloud and private keys

Cleartext keys are an organization’s weakest point and a goldmine for adversaries. Because the exposed keys are visible to anyone—internal or external—who gains access to the source code, these keys can be used to gain access to even more parts of the system. To reduce risk, remove any cleartext cloud and private keys from all systems and use secure methods for key storage and transmission.

Adopt a private link 

Private links can provide a secure connection between different parts of a network, reducing the risk of lateral movement.

Pro tip

All major CSPs offer a private link: AWS PrivateLink, GCP Private Service Connect, Azure Private Link.

Isolate each environment

Use network segmentation to isolate different parts of a network. This helps to constrict an attacker’s lateral movement abilities.

Illustration of how an isolated environment can prevent VPC-to-VPC lateral movement

Remediate critical vulnerabilities

It's important to routinely scan systems for vulnerabilities and patch them immediately to avoid security breaches. Unpatched vulnerabilities can provide an easy path for lateral movement.

Pro tip

The above are just a few mitigation techniques that prevent some common lateral movement scenarios. Other lateral movement scenarios, like jumping from K8 clusters to the cloud require more advanced mitigation techniques.

Learn more

How to prevent and detect lateral movement in your cloud environments

Because lateral movement attacks rely on stealth, they are by nature hard to spot. Nevertheless, the right strategies and the correct tools simplify the detection and prevention of lateral movement attacks .

Enter Wiz. Wiz is a cloud security solution that provides direct visibility into your cloud environment, prioritizes risks, and offers remediation guidance. It's designed to help development teams address risks in their own infrastructure and applications, allowing them to ship faster and more securely. Check out our demo to learn how Wiz can help you secure your cloud environments by identifying and putting a stop to lateral movement.

Trip up threat actors before they can move laterally

See for yourself why CISOs at the fastest growing companies choose Wiz to harden their cloud environment's internal defenses to stop lateral movement.

Get a demo

Lateral Movement FAQs

Continue reading

Kubernetes secrets

Wiz Experts Team

A Kubernetes secret is an object in the Kubernetes ecosystem that contains sensitive information (think keys, passwords, and tokens)

What is containerization?

Wiz Experts Team

Containerization encapsulates an application and its dependencies into a container image, facilitating consistent execution across any host operating system supporting a container engine.

Containers vs. VMs: What’s the difference?

Wiz Experts Team

In a nutshell, containers and virtual machines (VMs) are two inherently different approaches to packaging and deploying applications/services in isolated environments.

Kubernetes as a service

Kubernetes as a service (KaaS) is a model in which hyperscalers like AWS, GCP, and Azure allow you to quickly and easily start a Kubernetes cluster and begin deploying workloads on it instantly.

Brute Force Attacks

Wiz Experts Team

A brute force attack is a cybersecurity threat where a hacker attempts to access a system by systematically testing different passwords until a correct set of credentials is identified.