Key Takeaways
Lateral movement refers to the techniques attackers use after gaining initial access to move deeper into a network, often remaining hidden for weeks.
Stolen credentials are the primary fuel: the Verizon 2025 Data Breach Investigations Report found compromised credentials as the leading entry vector in 22% of confirmed breaches.¹
Traditional perimeter defenses cannot stop lateral movement because it unfolds entirely inside the network, through legitimate-looking traffic.
Preventing lateral movement requires enforcing communication policy at the workload level, not just at the network edge.
Zero Trust security, network segmentation, and east-west traffic controls are the most effective architectural controls for containing a breach before it spreads.
Lateral movement is what turns a contained security incident into an organization-wide breach. Once inside, threat actors use lateral movement to expand access, locate sensitive data, and position for maximum damage. Understanding how it works is the first step to stopping it.
What Is Lateral Movement?
Lateral movement refers to the set of techniques threat actors use to progressively spread through a network after establishing a foothold. The goal is not to stay where they landed. Attackers want to reach valuable assets: crown-jewel databases, identity infrastructure, financial systems, intellectual property, and the credentials that unlock everything else.
Lateral movement in cybersecurity is distinct from the initial breach. The attacker's first challenge is getting inside. Lateral movement is everything that happens next. The blast radius of any given incident is determined almost entirely by how far lateral movement gets before containment kicks in.
Lateral Movement vs. Vertical Movement: Understanding the Difference
These two concepts describe different attacker behaviors that typically work together. Lateral movement refers to moving horizontally across systems at the same privilege level, expanding the network footprint. Vertical movement refers to escalating privileges within a single system, moving from a standard user account to an administrative one.
In practice, attackers combine both. They breach the environment at a low privilege level, escalate privileges through vertical movement, and then use those elevated credentials to conduct lateral movement across other systems. Escalating privileges and expanding access are deeply intertwined stages of a single attack chain.
The Stages of a Lateral Movement Attack
Gaining Initial Access
Every lateral movement attack starts with the attacker gaining a foothold. Attackers achieve initial access through phishing, exploitation of vulnerabilities, purchased compromised credentials, or supply chain attacks targeting trusted software. Once they have one access point, the lateral movement phase begins immediately.
Internal Reconnaissance
After the attacker is inside, they conduct internal reconnaissance. They scan the internal network to map topology, identify sensitive systems, locate high-value targets, and enumerate user accounts and privileges. This activity often looks identical to normal network traffic without visibility into east-west traffic.
Credential Theft and Escalating Privileges
Credential dumping is one of the earliest lateral movement techniques attackers deploy. They extract user credentials from memory, configuration files, or identity stores and reuse them to authenticate to other systems without triggering alerts. Escalating privileges is the parallel goal. Attackers move from standard accounts to privileged access that can reach critical systems and sensitive data across the environment.
Stolen credentials are alarmingly effective as a vehicle for lateral movement. The Verizon 2025 DBIR reports that 88% of web application attacks involved stolen credentials, and compromised credentials were a leading entry vector in 22% of all confirmed breaches.¹
Moving Across Systems and Maintaining Persistence
With credentials and a network map, attackers move across systems using remote access tools, management protocols, and trusted services. Skilled threat actors maintain persistence by installing backdoors or creating new accounts, and they avoid detection by mimicking normal user behavior and timing their activity to match business hours.
Data Exfiltration
Once attackers reach their target, lateral movement culminates in the execution of the final objective. For ransomware groups, that means encrypting systems. For nation-state actors, it means exfiltrating sensitive data or intellectual property. For financially motivated groups, it means accessing payment infrastructure or staging mass credential theft.
Common Lateral Movement Techniques Attackers Use
Credential Dumping
Attackers extract user credentials from operating systems memory, registry hives, or configuration files and reuse them to authenticate to remote systems. In cloud environments, attackers target instance metadata services, IAM role tokens, and Kubernetes service account tokens.
Pass-the-Hash and Pass-the-Ticket
These techniques allow attackers to authenticate to other systems using credential hashes or Kerberos tickets without needing the plaintext password. They remain common across Windows operating systems environments despite being well-documented for decades.
Remote Desktop Protocol and Remote Services
Remote Desktop Protocol was the top lateral movement tool observed in 2024 incidents, appearing in 26% of cases.² Attackers with stolen credentials connect to remote systems over legitimate management channels, making the traffic difficult to distinguish from normal user behavior without east-west traffic monitoring.
Exploitation of Trusted Relationships and Overpermissioned Roles
In cloud environments, lateral movement frequently exploits overpermissioned service accounts, IAM roles with broad access, and misconfigured VPC peering. An attacker who compromises one workload with access to a privileged role can reach other cloud environments, cross VPC boundaries, and access managed services without additional exploitation.
Lateral Movement Examples from Real Attacks
The Change Healthcare Attack (2024)
The BlackCat ransomware group used stolen credentials to breach Change Healthcare's environment, then moved laterally across the network using those compromised credentials. The attack disrupted healthcare operations across the United States and resulted in a reported $22 million ransom payment.³ Without controls on east-west traffic and user accessing systems across network segments, lateral movement went unchecked.
The LiteLLM Cascade (2026)
In March 2026, threat group TeamPCP pushed malicious versions of LiteLLM, a Python middleware library used in roughly 36% of cloud environments, to PyPI via a compromised CI/CD dependency. Once downloaded, the payload harvested AWS, GCP, and Azure credentials immediately. Attackers did not need to exploit a vulnerability. They rode valid credentials through legitimate channels. This is the lateral movement pattern that detection tools cannot catch.
Why Perimeter Security Cannot Stop Lateral Movement
Traditional perimeter defenses were designed to stop threats at the network boundary. Lateral movement happens entirely inside that boundary, using valid credentials and normal network traffic patterns. By the time an attacker is moving between internal systems, they have already passed the firewall.
Most security tools take one of two approaches. They alert when something crosses the perimeter, or they scan the environment and flag risky configurations. Neither approach governs what happens after an attacker is already inside using compromised accounts and normal-looking traffic.
This structural gap is what makes stopping lateral movement so difficult with legacy architectures. Traditional security models assume that what is inside the perimeter is trusted. Lateral movement exploits that assumption directly.
How to Detect Lateral Movement
Lateral Movement Detection Signals
Security teams should monitor for authentication attempts from systems that do not normally communicate, accounts accessing multiple systems in rapid succession, and unusual remote access to critical systems. Behavioral analytics that establish baselines of normal user behavior can surface anomalies that indicate lateral movement in progress.
Endpoint Detection and East-West Traffic Visibility
Endpoint detection tools can identify credential dumping activity and suspicious use of remote access tools on individual systems. Monitoring east-west traffic inside cloud environments adds the layer endpoint detection alone cannot provide: visibility into how workloads communicate with each other, not just what is happening on each machine.
The Limits of Detection Alone
Detection cannot stop lateral movement by itself. The core problem is the Credential Vector: the majority of intrusions ride valid credentials through legitimate channels, producing no anomalous signal.⁴ When an attacker uses a stolen but valid credential, behavioral analytics may see nothing unusual. Endpoint detection sees a legitimate login. Detection is necessary but not sufficient to stop lateral movement in its tracks.
Preventing Lateral Movement: The Controls That Work
Zero Trust Security Architecture
Zero Trust security is the architectural foundation for stopping lateral movement. The core principle: no user, workload, or system is trusted by default based on network location. Every connection is verified explicitly. Every workload receives only the access it requires.
Zero Trust security moves the enforcement boundary from the perimeter to every individual communication path. This is how organizations prevent a single compromised account from spreading lateral movement across the entire environment.
Network Segmentation and Strict Access Controls
Network segmentation limits lateral movement by dividing the environment into segments with strict access controls between them. When an attacker compromises one segment, they cannot freely reach other segments without crossing an enforced policy boundary. Strict access controls reduce the blast radius further: accounts should hold only the permissions needed for their function, and privileged access management should ensure elevated access is tightly controlled and continuously monitored.
Multi-Factor Authentication
Multi-factor authentication (MFA) raises the bar for lateral movement by ensuring stolen credentials alone are not sufficient to authenticate to other systems. MFA cannot stop lateral movement once an active session is established, but it reduces the usefulness of credential theft as the primary vehicle for expanding access.
Monitoring East-West Traffic and Disabling Unnecessary Services
Most security architectures focus on north-south traffic between the internal network and the internet. East-west traffic is where lateral movement actually happens. Security teams need visibility into workload-to-workload communication inside cloud environments, between VPCs, and across Kubernetes clusters. Disabling unnecessary services and limiting remote access reduces the number of paths available for lateral movement in the first place.
Preventing Lateral Movement in Cloud Environments
Cloud environments create unique challenges for containing lateral movement. Workloads are ephemeral, permissions are often broadly scoped, and IAM roles carry access across cloud environments and services. Traditional network segmentation designed for on-premises infrastructure does not translate cleanly to multi-cloud architectures.
Preventing lateral movement in cloud environments requires enforcement at the workload level, not just at the perimeter. Aviatrix's Cloud Native Security Fabric™ addresses this by embedding enforcement directly into the cloud fabric, governing every workload-to-workload communication path across AWS, Azure, GCP, and OCI from a single policy plane.
Containment is defined as the architectural enforcement of explicit communication policy at every workload, governing what it can reach and what can reach it, at the granularity of workload identity and protocol, on every path available to it, independent of whether a compromise has been detected. That definition closes the gap that credential-based lateral movement exploits: enforcement holds regardless of whether a detection alert has fired.
When the LiteLLM Cascade hit in March 2026, Aviatrix customers were protected because outbound credential exfiltration was blocked at the workload level the moment it was attempted, before any alert could have triggered. That is containing lateral movement through architecture, not alerts. Learn more about how lateral movement unfolds in cloud environments and how runtime enforcement changes the equation.
For security teams evaluating their current posture, the Workload Attack Path Assessment offers a free, agentless diagnostic that maps how lateral movement would propagate through your actual cloud environment using flow and DNS telemetry.
Conclusion
Lateral movement is how attackers go from one compromised account to a full network takeover. It is the mechanism that separates a contained incident from a catastrophic breach. Perimeter-focused security and alert-based detection cannot stop it, because lateral movement happens inside the perimeter using valid credentials and legitimate traffic patterns.
Preventing lateral movement requires enforcement at the workload level, Zero Trust security architecture, strict access controls, multi-factor authentication, and east-west traffic visibility across cloud environments. For organizations running workloads across multiple cloud providers, workload-level enforcement through a platform like Aviatrix's Cloud Native Security Fabric provides the containment architecture that limits blast radius and stops lateral movement before it reaches sensitive data and critical systems.
The question is no longer whether your environment will face lateral movement attempts. It is what the Blast Radius will be when it happens.
References
https://www.verizon.com/business/resources/reports/dbir/
https://www.reliaquest.com/resources/research-reports/annual-cyber-threat-report/
https://cloud.google.com/blog/topics/threat-intelligence/zero-day-moveit-data-theft
https://aviatrix.ai/threat-research-center/
https://www.ibm.com/reports/data-breach
https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats
Frequently Asked Questions
Lateral movement in cybersecurity refers to the techniques attackers use to spread through a network after establishing a foothold. It is how threat actors expand their access, escalate privileges, and reach sensitive data or critical systems before executing their final objective.
Attackers typically begin lateral movement by stealing credentials from a compromised system, then authenticating to other systems using those stolen credentials. Common techniques include credential dumping, pass-the-hash attacks, exploiting remote access protocols, and abusing overpermissioned service accounts in cloud environments.
Moving horizontally means accessing systems at the same privilege level. Moving vertically means escalating privileges within a single system. Attackers typically combine both, escalating privileges on an initial system and then using those elevated credentials to conduct lateral movement across multiple systems.
Preventing lateral movement requires zero trust security architecture, network segmentation, strict access controls, multi-factor authentication, and east-west traffic monitoring. In cloud environments, workload-level enforcement that governs every communication path regardless of whether a threat has been detected is the most effective control.
