Today’s attackers rarely conduct lateral movement manually. For attackers, lateral movement is an exercise in taking what they are given: They are not moving throughout the network according to some sort of preplanned map, but following open pathways wherever they may lead. Rather than taking significant leaps into the heart of the network, attackers will make small hops, following open pathways to infiltrate any area of the network available to them. But today’s networks are sprawling, and poking and prodding their defenses manually would be cumbersome and time-consuming. As a result, today’s attackers almost always use automated processes to conduct this type of reconnaissance.

If the automated process recognizes a key piece of infrastructure during one of these small hops, it will report back to the attacker to let them know something potentially valuable has been identified. But that doesn’t mean it will stop — on the contrary, it will continue hopping around the network, looking for additional vulnerabilities and assets. Ultimately, the goal is to hit every device in the enterprise — after all, the more devices an attacker captures, the greater the odds of finding something valuable. And since most attacks today involve ransomware, data theft, or both, access to large volumes of data to steal or encrypt is critical. Thanks to this “land and expand” tactic, attackers may not even touch a keyboard themselves until a significant portion of the network is already compromised — which means understanding how to detect and prevent lateral movement early is essential.

Why Attackers Move Laterally — and How to Spot Them

Attackers don’t move laterally just for the heck of it — they’re doing it with a goal in mind. In the beginning, that goal may be to simply compromise as many devices or areas of the network as possible, but as attack activity progresses, defenders can begin to look for evidence of intent. Are the automated processes conducting reconnaissance also installing unexpected drivers on certain devices? That sort of activity is highly likely to be connected to an attack and should raise an alert within SIEM solutions. If a dozen different machines all had an unscheduled driver update over the past two weeks, something suspicious is happening — and the security team should investigate. This is just one example, but it’s indicative of the sort of activity that often accompanies lateral movement through a network.

Evidence of encryption should also raise a red flag for security teams. Some security solutions won’t alert on encryption if only a small number of files are affected, and as a result, attackers have caught onto the fact that if they encrypt only a small amount of information at a time, they can often escape detection. But the truth is that defenders need to be aware of any abnormal encryption that is happening within their environments. The best-case scenario in this situation is that a user is manually encrypting files with unauthorized software, which could be benign — but even that is unlikely. What’s more likely is that the employee is engaging in fraudulent activity, or that their identity has been compromised and is being used by an attacker. Monitoring for encryption is one of the most effective ways to identify an adversary moving laterally through the system and engaging in small attack activities as they go. Again, this is just one example, but defenders need to always be aware of even the smallest signs of suspicious behavior when they’re occurring repeatedly — especially when they don’t have a benign explanation.

Identifying and Remediating Lateral Movement

If an attacker is talented, they will likely be able to evade network-level defenses — after all, the point of the “small hops” approach to lateral movement is that it can fly under the radar by not making a lot of noise. That means organizations need to implement a more layered approach to network defense. Endpoint controls are a good starting point — these controls can help identify when an entity on the network is engaging in an unusual sequence of behaviors. If the same anomalous activity is observed on multiple devices — especially if it is within a relatively short window of time — that’s a good indicator that attackers are moving laterally from endpoint to endpoint. Resources like advanced endpoint detection and response (EDR) and extended detection and response (XDR) solutions can help organizations more effectively monitor all of their endpoints for those small signs of incursion.

It’s also critical to have strong inbound and outbound web gateway defenses. When the automated processes engaging in lateral movement find something noteworthy, they send that data back out to the attacker. The ability to track that outbound data is important, and SIEM solutions again play an important role here as they can detect and track those data bursts. If something within the network is sending the same type of data burst from several different endpoints — and it’s not coming from a known and approved application — that should raise a red flag. It’s important to set up correlation rules programmed to send an alert if a similar pattern of behavior is detected on too many machines. Certain small hops might not set off alarm bells on their own, but if they’re happening too frequently the security team needs to be alerted.

Organizations need to understand whether their systems are capable of detecting this type of activity — and that means testing them is essential. Breach and attack simulation (BAS) solutions and automated red teaming can imitate the tools and tactics that attackers favor to see whether security solutions are functioning properly — and if they are not, they may be able to recommend ways to improve them. For example, if red teamers are encrypting files but the system isn’t alerting it, the detection threshold may need to be lowered. Similarly, if multiple devices are compromised but the system hasn’t noticed, new detection solutions may be needed. These are important insights for organizations that want to put a stop to lateral movement before it can cause significant damage, but only regular testing can reveal where those potential pressure points reside.

Identifying Small Hops With Reliable Automated Detection

It’s hard to overstate the simple fact that automation is essential. Even attackers are no longer manually conducting their incursions, instead opting to use tools that allow them to make countless small hops designed specifically to avoid detection. Security teams have neither the time nor the resources to manually comb through hundreds of pages of network logs to look for this activity themselves — they need solutions in place that can provide them with real-time alerts when an attacker begins engaging with multiple devices, encrypting information, exfiltrating data, or any of a thousand other micro-activities. Given the volume of activity on today’s networks, abnormal behavior can sometimes be lost in the background noise, but a well-calibrated — and well-tested — SIEM that can draw conclusions based on massive amounts of input can make sure defenders have the information they need stop adversaries before they can escalate their attacks.