ORSYS le mag 2025 logo

The training and skills medium

Home > Cybersecurity glossary > Lateral movement πŸ”΄ Technique

Lateral movement πŸ”΄ Technique

Lateral movement is a technique used by cyber attackers to move within a network after an initial intrusion, in order to gain access to systems, data or information. privileges sensitive.

The lateral movement aims to extend the attacker's reach by exploiting vulnerabilities stolen identifiers or legitimate tools.

 

Objective

  • Reaching critical targets (servers, databases, admin accounts)
  • Raising privileges to control strategic resources
  • Preparing destructive actions (data exfiltration, deployment of ransomware)

 

πŸ”§ Tools

 

Method Explanation
Pass-the-Hash Theft and reuse of password hashes to access other machines.
Exploitation of vulnerabilities Use of unpatched vulnerabilities (e.g. EternalBlue) to propagate the attack.
RDP (Remote Desktop Protocol) Remote access to machines using compromised credentials.
PowerShell/WMI Exploitation of legitimate system tools to execute malicious commands.
Trojan horse Deployment of malware to maintain persistent access and pivot between systems.

πŸ‘‰ Examples

 

  1. Ransomware After infecting a user workstation, the attacker uses stolen credentials to propagate to the backup servers.
  2. APT (Advanced Persistent Threat) a state-owned group uses exploits to access a company's administrative network via internal file sharing.
  3. Phishing internal sending bogus e-mails from a compromised account to infect other employees.

 

πŸ”Ž Detection and prevention

  1. Internal traffic monitoring :
    • Tools : EDR (Endpoint Detection and Response), SIEMlog analysis.
    • Signals: Unusual RDP connections, admin account activity outside normal hours.
  2. Limiting privileges :
    • Least Privilege Principle.
    • Network segmentation (isolate critical areas).
  3. Enhanced authentication :
    • MFA (Multi-Factor Authentication) for sensitive access.
    • Regular password rotation.
  4. Patch management Fix critical vulnerabilities quickly (e.g. ProxyLogon, PrintNightmare).

 

Key figures

In France (source: ANSSI, 2023)

  • 68 % of serious incidents involve lateral movement to reach critical systems.
  • 40 % of attacks use internal tools (e.g. PowerShell) to avoid detection.

In the world

  • 87% of data breaches include lateral movement (Verizon DBIR 2023).
  • Average cost an attack with lateral movement: 4.7 million (IBM).
  • Average time to detect lateral movement : 150 days (Mandiant).

 

Why is it critical?

  • Silencer Attackers often imitate legitimate behaviour
  • Exponential impact an initial minor breach can lead to a total network compromise
  • Strategic challenge The financial, health and energy sectors are priority targets

⚠️ Challenge : Cloud/hybrid environments make detection more complex (e.g. movement between on-premises and AWS/Azure)

Back to Glossary

field of training

ο€­

Cybersecurity

associated training



Systems and network security, level 1



Hacking and security, level 1



Information systems security, summary

BEST

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity