When it comes to cybersecurity, the concept of the perimeter is critical—it encompasses everything that needs to be protected. Given how easy it is for threat actors to pivot from an entry point via a low-level employee to get into systems and gain access to high-value targets, entities must ensure their entire organization is covered. It’s not enough to secure just a few individuals or devices; the entire network and all its users must be safeguarded.
Think of it like a panic room designed to protect your family during a break-in. Imagine your organization is the house, with the panic room representing your critical systems and data. Every door, window, and wall in the house symbolizes your network and employees—each one a potential entry point for intruders. To truly protect what matters, the entire house must be secure: doors locked, windows reinforced, and alarm systems active. Ideally, you’d like to prevent anyone from ever getting into your house to begin with (that’s why it’s called a Panic Room). Similarly, in cybersecurity, it’s not enough to protect just the "panic room" of high-value systems. Every user, device, and access point across the organization must be safeguarded because attackers will always look for the easiest way in. And once inside, even the best panic room may not be enough to keep you safe.
This is why relying on a password manager like LastPass for only a subset of users creates gaps that malicious actors can exploit. Cyber threats don’t discriminate between protected and unprotected endpoints—they target the weakest link in the chain. Therefore, the perimeter must extend as far out as possible, covering every individual, device, and access point. Comprehensive protection ensures that vulnerabilities aren’t left exposed, reducing the risk of breaches that can compromise the entire system.
Lateral movement is a common tactic used by cyber threat actors, used in around 25% of all cyberattacks. The term “lateral movement” doesn't mean hackers always move sideways through a network though—their actions can be more of a lattice moving up and down, rather than just across. Lateral movement can be exacerbated by overprivileged accounts. Overprivileged accounts have more permissions or access rights than they need to perform their intended tasks, which can increase security risks and vulnerabilities. Considering the increasing attack surface with Software-as-a-Service (SaaS) applications and shadow IT, overprivileged accounts can allow access to internal systems and sensitive data and pose several cyber threats.
The speed of cyberattacks is also increasing, in part due to increased automation. It now takes threat actors on average 62 minutes to move laterally from initial access to other devices or systems on the same network according to the 2024 CrowdStrike Global Threat Report. These compounding threats raise the stakes for entities to set their security perimeter as far out as they can to make it harder for threat actors to gain access to their systems.
What is Lateral Movement?
Lateral movement is the traversal of a larger network via privilege escalation, vulnerability exploits, and other methods, from an initial access point. Hackers use this technique to expand their reach within a company's network and stay hidden. Threat actors pivot from their initial entry point, such as a compromised account on a corporate laptop, to the rest of a network, gaining access to sensitive systems or data and achieving their ultimate objectives, whether its data theft, network disruption, or deeper compromise.
Threat actors first compromise a legitimate corporate account using stolen credentials; social engineering; malware delivered via phishing emails, exploit kits, drive-by download attacks; or other techniques. Once the account has been compromised, attackers can conduct reconnaissance to determine where they are in the network via the compromised account and its existing privileges and connections. To move through a network, the attacker may require login credentials. These can be legitimate user credentials, stolen administrative privileges, and/or other tactics to escalate their privileges and propagate through a network. Credential dumping—stealing login information from software or the operating system—can be accomplished using tools like keyloggers or Windows Credential Editor. Other common techniques for obtaining credentials include social engineering, brute-force attacks, pass-the-ticket, pass-the-hash, or simply buying already-stolen passwords from a dark web marketplace.
Major Case Studies
A breach doesn’t have to start from an account with elevated privileges— it can come from anywhere. For instance, the DarkSide ransomware gang breached US pipeline operator Colonial Pipeline in 2021 by using compromised VPN credentials for an employee login that was believed to be inactive that reportedly used the same password on another compromised site. After gaining access, the threat actors used their access privileges to move laterally across the network's infrastructure and stole approximately 100 gigabytes of data in two hours. The ransomware incident impacted the company's IT network and forced the company to shut down pipeline operations, as well as various IT components. Colonial Pipeline paid the ransomware operators 75 Bitcoins (approximately $4.4 million USD) to restore its data and operations. The MITRE Corporation, a non-profit overseeing federally funded research, was breached by Chinese nation-state hackers in January this year through two zero-day vulnerabilities in products from IT vendor Ivanti. The hackers used the Ivanti vulnerabilities to move laterally by taking over a compromised administrator account and used a “combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”
SMBs Face Risks Too
If this can happen at a large company, it can happen at any sized company too. One-third of SMBs were hit by a cyberattack in the past year, Microsoft Security recently said in a report conducted by research firm Bredin. The greatest cybersecurity challenge facing organizations of all sizes is data protection. Although small businesses typically have smaller amounts of data, this information is of high value to cybercriminals. Small and medium-sized companies (SMBs) can be an attractive target for ransomware and other cyberattacks because of the perception their security isn’t as robust as larger organizations with bigger security budgets. For instance, according to reporting in September, cybercriminal group "CosmicBeetle" exploited various older vulnerabilities in technologies typically used by small businesses in Turkey, as well as Spain, India, and South Africa to install its custom SCRansom malware. Vulnerabilities included issues in Veeam Backup & Replication (CVE-2023-27532), which can allow unauthenticated attackers to access the backup infrastructure, or two privilege escalation vulnerabilities in Microsoft Active Directory (CVE-2021-42278 and CVE-2021-42287), which together allow a user to "effectively become a domain admin." Researchers suspected the hackers opportunistically attacked these small businesses because these older, known vulnerabilities to be patched in larger companies with better patch management in place.
According to Sophos' 2024 Threat Report, over 90% of customer-reported attacks involved some form of data or credential theft. These attacks ranged from ransomware and data extortion to unauthorized remote access and direct data theft. Stolen credentials, including browser cookies, are commonly used in business email compromise schemes, to access third-party services like cloud-based finance systems, or to infiltrate internal resources for fraud or financial gain. Additionally, these credentials are often sold by "access brokers" on underground forums, with some listings specifically advertising access to the networks of small and medium businesses.
Lateral movement in a smaller network is, by definition, easier to do. Small and mid-size businesses may not have adequate network segmentation, and accounts are also frequently overprivileged, which makes it easier to move laterally within the network. SMBs’ connections to other companies can be valuable to threat actors and may be seen as an entry point to critical infrastructure or larger entities. Cybercriminals increasingly focus on supply chain attacks, where they target smaller, less-secure vendors to gain access to larger enterprises.
Indiscriminate Targeting
Widespread campaigns that are opportunistic, scanning for vulnerable companies to get their foot in the door, can pose a threat to a wide range of targets. Financially motivated cyber threat group Storm-1811 abused the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware payloads on victims' networks starting in mid-April this year. First the hackers email bombed the target after subscribing their addresses to various email subscription services, then they called and impersonated a Microsoft technical support or company's IT or help desk staff to help remediate the spam issues. During this voice phishing attack, the attackers tricked the victims into granting them access to their Windows devices by launching the Quick Assist built-in remote control and screen-sharing tool. After installing malicious tools and concluding the phone call, Storm-1811 performed domain enumeration, moved laterally through the victim's network, and deployed Black Basta ransomware. In another attack, cybercriminal group CRYSTALRAY broadened its targeting scope ten-fold to steal credentials and deploy crypto miners with new tactics and exploits earlier this year using the SSH-Snake open-source worm to spread laterally on breached networks.
The frequency and effectiveness of lateral movement by threat actors underscores the importance of stopping a threat actor before they can ever get in the door. Social engineering awareness training, prompt vulnerability patching, and password management can help protect you by locking your doors and windows without relying on your panic room!
