What is Lateral Movement?
The technique by which attackers move from an initially compromised system to other systems within a network, escalating privileges and expanding access to reach high-value targets.
Lateral movement is one of the most dangerous phases of an attack and the primary reason flat network architectures are inherently risky. After gaining initial access (phishing, exploiting a vulnerability, stolen credentials), an attacker pivots from the compromised host to adjacent systems. Common techniques include pass-the-hash, pass-the-ticket, RDP hijacking, exploitation of trust relationships between systems, and abuse of administrative tools like PsExec or WMI.
Traditional VPNs exacerbate lateral movement risk because they grant broad network access. Once an attacker compromises a VPN-connected endpoint, they can reach any system on the connected subnets. ZTNA mitigates this by granting access only to specific applications, not network segments. Even if an endpoint is compromised, the attacker cannot pivot to other resources because there is no network-level adjacency.
Microsegmentation provides the complementary control for east-west traffic within data centers and cloud environments. By enforcing allow-list policies between workloads, microsegmentation limits the blast radius of a breach even after initial access. The combination of ZTNA (north-south access control) and microsegmentation (east-west access control) is the most effective defense against lateral movement.
A security model that eliminates implicit trust based on network location, requiring continuous verification of identity, device posture, and context for every access request.
An access model that grants users connectivity to specific applications, not networks, based on identity and device posture, verified continuously per session.
A security technique that divides a network into granular segments, enforcing least-privilege access policies between individual workloads rather than relying on broad network perimeters.
An endpoint security platform that continuously monitors endpoint activity, detects suspicious behavior, and provides investigation and response capabilities for threats that bypass preventive controls.
A security platform that correlates telemetry across endpoints, network, cloud, email, and identity sources to detect multi-stage attacks and provide unified investigation and response.
One email per publish. Unsubscribe anytime.