IronSights

Detection & response

Lateral movement

The technique used by attackers to progressively move through a network after initial compromise, gaining access to additional systems, data, and credentials en route to their ultimate target.

Also known asnetwork lateral movementeast-west movement

In plain English

Once an attacker is inside one device, they don't stop there. Lateral movement describes how they hop from machine to machine — using stolen credentials, exploiting vulnerabilities, or abusing trusted network relationships — until they reach the systems or data they're after. Network segmentation and the principle of least privilege limit how far an attacker can travel.

Full definition

Getting into one machine is rarely the goal. The data an attacker wants is usually on a different server, in a different account, or behind a different set of permissions. Lateral movement is how they close that gap.

After an initial compromise, attackers move through a network using whatever they can find: , pass-the-hash attacks that reuse authentication tokens without needing the actual password, exploitation of trust relationships between systems. In a flat network with no segmentation, a single compromised laptop can become the starting point for access to a domain controller, a file server, or a cloud admin account within hours.

Two controls limit how far an attacker can travel once they are inside. splits the environment into zones so that a compromised endpoint in the sales team cannot directly reach payroll systems or backup infrastructure. Least privilege access means that even if an attacker takes over a user account, that account can only reach what the legitimate user needed. In the framework, both restricting administrative privileges and patching applications directly address the techniques used for lateral movement. A penetration test that stops at initial access misses the question that matters most: once we are in, how far can we get?

Keep learning

More terms in the IronSights Glossary.