Network Lateral Movement Giacomo Lanzi

What is a Network Lateral Movement and how to defend yourself

During a cyber attack, hackers have only one goal in mind. This goal could be accessing a developer’s machine and stealing a project’s source code, analyzing emails from a particular executive, or extracting customer data from a server. All they have to do is log into the machine or system that contains the data they want, right? Not exactly. Actually, it’s a little more complicated than that. To achieve their goal, hackers are likely to break into a low-level web server, email account, or employee device, to name a few. From that node, they will move sideways (hence the name network lateral movement) to achieve their goal.

In fact, when attackers compromise a resource on a network, that device is almost never their final destination. In addition, the initial compromise rarely causes serious damage and may go unnoticed. Only if the security teams are able to detect a lateral movement before the attackers reach their intended goal, it is possible to prevent the data breach.

In this article, we will look at some of the more common types of network lateral movement and identify ways in which we can detect the attack and defend ourselves.

Understanding the network lateral movement

Lateral movement occurs when an attacker takes possession of a resource within a network and then extends its reach from that device to others within the same network. Let’s see it with an outline to help us understand better.

The perimeter of the infrastructure to be penetrated is represented with a horizontal line. The upper half represents what is outside the net, while what is below the line represents what is inside. In order for an attacker to enter the network, it must move vertically, ie from the outside to the inside (also called North-South traffic). But once a foothold has been established, it is possible to move sideways or horizontally, ie within the same network (called East-West traffic) to reach the final goal of the attack.

Lateral Movement - Schema

Possible path of a lateral movement. The arrow indicates the network nodes that are involved in the attack.

Approaches to the Lateral Movement

Overall, there are two common methods by which a hacker applies the lateral movement.

First approach: The attacker performs an internal scan to find out what other machines are on the network. In particular, it scans open ports that are listening and machines that suffer from vulnerabilities. At that point, the attacker can abuse these weaknesses to move sideways to another resource.

The second approach to the lateral movement exploits stolen credentials, and is the more common of the two. In this type of attack, the hacker could use an email phishing technique to infect a machine that interfaces with a particular server. Then he can use his login to recover passwords via a keylogger or other similar tools. At this point, he can use whatever credentials he was able to obtain to impersonate the user who was the victim of the phishing and log in to another machine. Once you have established access to that computer, you can repeat the tactic looking for additional credentials and / or privileges to exploit. In this way, the attacker can make their way and create remote connections to the target device.

In both cases it is difficult to identify the attack, because it does not occur through software or application malfunctions.

How to defend yourself

A lateral movement often manifests itself through anomalous network activity. For example, it is suspicious that a machine, which normally communicates with a few others, starts scanning the entire network. The same is true if that machine tries to connect to open ports, to interact with services and credentials with which it normally has no contact, or to use a username that has never been used before.

The list of alarm bells goes on and on. The key thing to understand is that a lateral movement involves machines doing something out of their routine, without proper authorization from IT.

This is what gives organizations the ability to detect this type of attack. Implementing log file monitoring is a first step in defense. Ideally, the data should be constantly analyzed for anomalies and possible breaches.

Defense issues

These defenses are not infallible. Security teams that simply rely on log files limit the scope of their defensive position, for example, due to log files collected only from particular applications. You might decide to monitor a certain service for credential theft, but attackers might not use that particular service to perform a lateral movement. This means that any malicious actions that do not use the monitored services will not be detected promptly.

In addition to this, hackers know the types of protocols that security personnel tend to monitor, making their task even more complex. Attackers can use this knowledge to model their attack campaigns in order to have a better chance of going unnoticed. It is one of the reasons why the MITER ATT & CK database was created to collect known techniques and raise the defenses.

The advantage of a SOCaaS

It is not enough for organizations to seek lateral movement using log files or an EDR tool. It is necessary to turn attention to the network as a whole. In this way it is possible to see all network traffic, establish a baseline of normal network activity for each user and device, and then monitor any unusual actions that could be indicative of attacks. It is known as anomaly detection, and is more comprehensive and often easier than examining each log file for out-of-the-ordinary events.

The problem with anomaly detection is that many of these irregularities are benign, and a lot of time is spent analyzing them. What is needed to separate harmful lateral movement from benign network anomalies is an understanding of the aspect of harmful behavior.

This is where a complete system that uses both behavioral analysis tools and professional security technicians comes into play.

The SOCaaS offered by SOD includes a Security Data Lake (SDL) for data collection and various tools for data analysis. One of these is the UEBA, particularly suitable for the detection of social threats, as it analyzes user behavior through AI using their actions as a source of data.

With these and other tools that make up the SOC, you can actively reduce the risk of attacks on your corporate data. If you are interested in learning more about SOD SOCaaS, I invite you to visit the dedicated page or contact us directly.

[btnsx id=”2931″]

Useful links:

SOCaaS

Is SOCaaS useful for your business

Computer Network Security: PT vs. VA

Cyber Security: Pentest and verification of vulnerabilities

 

 

Share


RSS

RSS feed

More Articles…

Categories …

Tags

Acronis Cloud Backup BaaS Backup cloud cloud computing Cloud Conference cloud provider reggio emilia cloud server cloud services CTI cyber security cyber security cyber threat Cyber Threat Hunter Data Exfiltration GDPR Machine Learning Monitoraggio infrastruttura ICT Next Generation SIEM nextgen siem online hosting owncloud owncloud pentest Phishing Plesk Ransomware Ransomware security server virtuale sicurezza siem Smart Working SOAR SOCaaS Threat intelligence UEBA VDS Virtual Machine vps vulnerability assessment web hosting webinar Zabbix Zabbix as a Service

RSS Unknown Feed

RSS Full Disclosure

  • [REVIVE-SA-2026-001] Revive Adserver Vulnerabilities January 15, 2026
    Posted by Matteo Beccati on Jan 14======================================================================== Revive Adserver Security Advisory REVIVE-SA-2026-001 ------------------------------------------------------------------------ https://www.revive-adserver.com/security/revive-sa-2026-001 ------------------------------------------------------------------------ Date: 2026-01-14 Risk Level: High Applications affected: Revive...
  • Defense in depth -- the Microsoft way (part 95): the (shared) "Start Menu" is dispensable January 11, 2026
    Posted by Stefan Kanthak via Fulldisclosure on Jan 10Hi @ll, the following is a condensed form of and . Windows Vista moved the shared start menu from "%ALLUSERSPROFILE%\Start Menu\" to "%ProgramData%\Microsoft\Windows\Start Menu\", with some shortcuts (*.lnk) "reflected" from the (immutable) component store below %SystemRoot%\WinSxS\ JFTR:...
  • Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) January 11, 2026
    Posted by Art Manion via Fulldisclosure on Jan 10Hi, CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a period of time, there was a restriction that only the provider could make or request such an assignment. But the current CVE rules remove this restriction: 4.2.3 CNAs MUST NOT consider the […]
  • RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in RIOT ethos Serial Frame Parser January 11, 2026
    Posted by Ron E on Jan 10A stack-based buffer overflow vulnerability exists in the RIOT OS ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer (serial->frame) without verifying that the current write index […]
  • RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in tapslip6 Utility via Unbounded Device Path Construction January 11, 2026
    Posted by Ron E on Jan 10A stack-based buffer overflow vulnerability exists in the tapslip6 utility distributed with RIOT OS (and derived from the legacy uIP/Contiki networking tools). The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. Specifically, tapslip6 uses strcpy() and strcat() […]
  • TinyOS 2.1.2 Stack-Based Buffer Overflow in mcp2200gpio January 11, 2026
    Posted by Ron E on Jan 10A stack-based buffer overflow vulnerability exists in the mcp2200gpio utility due to unsafe use of strcpy() and strcat() when constructing device paths during automatic device discovery. A local attacker can trigger the vulnerability by creating a specially crafted filename under /dev/usb/, resulting in stack memory corruption and a process […]
  • TinyOS 2.1.2 printfUART Global Buffer Overflow via Unbounded Format Expansion January 11, 2026
    Posted by Ron E on Jan 10A global buffer overflow vulnerability exists in the TinyOS printfUART implementation used within the ZigBee / IEEE 802.15.4 networking stack. The issue arises from an unsafe custom sprintf() routine that performs unbounded string concatenation using strcat() into a fixed-size global buffer. The global buffer debugbuf, defined with a size […]
  • KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking January 8, 2026
    Posted by KoreLogic Disclosures via Fulldisclosure on Jan 08KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking Title: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking Advisory ID: KL-001-2026-001 Publication Date: 2026-01-08 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt 1. Vulnerability Details      Affected Vendor: yintibao      Affected Product: Fun Print Mobile      Affected […]
  • Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) January 6, 2026
    Posted by Yuffie Kisaragi via Fulldisclosure on Jan 05UPDATE: Following the publication of these vulnerabilities and the subsequent CVE assignments, the CVE identifiers have now been revoked. The vendor (EQS Group) contacted the CVE Program (via a CNA) and disputed the records, stating that the affected product is an exclusively hosted SaaS platform with no customer-managed […]
  • Panda3d v1.10.16 Uncontrolled Format String in Panda3D egg-mkfont Allows Stack Memory Disclosure January 6, 2026
    Posted by Ron E on Jan 05Panda3D’s egg-mkfont utility contains an uncontrolled format string vulnerability that allows disclosure of stack-resident memory. The -gp (glyph pattern) command-line option allows users to specify a formatting pattern intended for generating glyph texture filenames. This pattern is passed directly as the format string to sprintf() without validation or sanitization. […]

Customers

Newsletter

{subscription_form_1}
Products and Solutions
Partners
Cloud Models
News
Google Reviews
Secure Online Desktop s.r.l. place picture
Secure Online Desktop s.r.l.
4.9
Based on 37 reviews
powered by Google
review us on
Riccardo Crocilli profile picture
Riccardo Crocilli
14:02 22 Mar 19
Ho collaborato con Secure Online Desktop per importanti progetti IT. Si sono dimostrati negli anni partner seri, competenti e professionali , l' Azienda dimostra una grande esperienza maturata in tanti anni di consulenza e lavoro su contesti IT innovativi.
Davvero consigliata !!!!!
In particolare vorrei sottolineare la figura che piu’ racchiude e sintetizza le qualità della Secure Online Desktop , il suo AD Ing. Piergiorgio Venuti, professionista impagabile , sia dal punto di vista tecnico/organizzativo che soprattutto (e non dimeno) come persona , capace di gestire , risolvere e approcciare qualsivoglia attività/problematica, davvero un grande !!!!
Filippo Scavone profile picture
Filippo Scavone
13:39 22 Mar 19
Dopo anni di collaborazione confermo la professionalità, competenza ed affidabilità
clickday at2016 profile picture
clickday at2016
13:36 22 Mar 19
Con lo studio di consulenza di cui sono socio, ATS – CONSULENTI ASSOCIATI S.r.l., collaboriamo già da alcuni anni, in materia di Sicurezza informatica in ambito GDPR, con la Secure Online Desktop. Si sono dimostrati partner seri, competenti e professionali sia su clienti PMI sia su Grandi imprese.
Paolo Ferrari profile picture
Paolo Ferrari
13:34 22 Mar 19
Professionali e competenti
Paolo Raimondi profile picture
Paolo Raimondi
11:08 21 Apr 18
La Polimatica Progetti Srl, azienda di cui sono titolare, collabora con soddisfazione da alcuni anni con Secure Online Desktop. L'Azienda è costituita da professionisti seri e competenti. Insieme a loro abbiamo costruito un sistema organizzato di soluzioni ICT, servizi e attività di consulenza per la compliance alla normativa in materia di protezione dei dati personali (GDPR)
Claudia Cavatorta profile picture
Claudia Cavatorta
21:45 20 Apr 18
Ormai da anni lavoriamo con Secure Online Desktop e ci siamo trovati sempre molto bene. L'Azienda ha dimostrato disponibilità costante nel risolvere problemi ed esigenze che nel nostro tipo di lavoro si presentano molto frequentemente. Sempre puntuali nell'implementare le modifiche richieste e propositivi riguardo a soluzioni che possano apportare migliorie ad un sistema già ottimale. Per quanto riguarda il prodotto: la piattaforma che abbiamo a disposizione funziona molto bene, la connessione è veloce e siamo sicuri di conservare i nostri dati in assoluta sicurezza.
Omid Fazeli profile picture
Omid Fazeli
06:59 20 Apr 18
They have a lot of solutions for any kind of business. Lower prices than many others. The support service is always active and efficient.
Miki A. profile picture
Miki A.
13:47 16 Apr 18
Prodotti eccellenti, a partire dai classici hosting, sino a VPS e cloud strutturati.
Tempi veloci e staff preparato!
More reviews
Facebook
Secure Online Desktop s.r.l.
Secure Online Desktop s.r.l.
5.0
Based on 12 reviews
powered by Facebook
review us on
Paolo Raimondi
Paolo Raimondi
11:06 21 Apr 18
La Polimatica Progetti Srl, azienda di... cui sono titolare, collabora con soddisfazione da alcuni anni con Secure Online Desktop. L'Azienda è costituita da professionisti seri e competenti. Insieme a loro abbiamo costruito un sistema organizzato di soluzioni ICT, servizi e attività di consulenza per la compliance alla normativa in materia di protezione dei dati personali (GDPR).read more
Ilaria Miglietta
Ilaria Miglietta
04:16 21 Apr 18
Servizi affidabili e di semplice... utilizzo. I loro tecnici molto attenti alle esigenze del cliente, continuate cosìread more
Francesca Marastoni
Francesca Marastoni
11:41 20 Apr 18
Excellent service company with... wonderful stuff. Highly recommended.

Ottima azienda, servizi molto utili, staff qualificato e competente. Raccomandata!read more
Alessio Liga
Alessio Liga
08:25 20 Apr 18
Servizi di alto livello, competenti e... disponibili a accettare nuove sfide per sviluppare business
Ottimo supportoread more
Matteo Revelli
Matteo Revelli
22:39 19 Apr 18
Ottima azienda, offre servizi di alta... qualità con personale competente e disponibile.read more
Lorenzo Munari
Lorenzo Munari
16:25 19 Apr 18
Azienda molto seria e... affidabile.

E' un piacere poter collaborare con realtà di questo tiporead more
Francisco Amadi
Francisco Amadi
10:41 19 Apr 18
Ho avuto il piacere di collaborare con... loro e spero vivamente che succeda di nuovo. Competenti, professionali, precisi e cordiali!read more
Davide Michelotto
Davide Michelotto
07:42 19 Apr 18
Ottimo servizio, seri professionisti al... timone della società e celerità nei tempi di risposta, oltre ogni aspettativa.read more
Gabriele Petralia
Gabriele Petralia
12:28 18 Apr 18
Luca Prati
Luca Prati
10:12 18 Apr 18
Azienda eccellente, consulenza... customizzata e puntuale.
Un ottimo fornitore.
Io personalmente ho parlato con l' Ing. Venuti, valore aggiunto indubbiamente.read more
Valerio Lezza
Valerio Lezza
21:35 17 Apr 18
Daniela Cospito Di Leo
Daniela Cospito Di Leo
21:20 17 Apr 18
More Reviews
js_loader
payments gateway
About