Cyberattack Lateral Movement Explained


[Lightly edited transcript of the video above]

Hi there, Mark Nunnikhoven from Trend Micro Research, I want to talk to you about the concept of lateral movement.

And the reason why I want to tackle this today is because I’ve had some conversations in the last few days that have really kind of hit that idea bulb that people don’t truly understand how cybercriminals get away with their crimes in the organization. Specifically how they launch their attacks.

Now don’t get me wrong, this isn’t to blame on defenders. This isn’t to blame of the general public. I’m going to go with Hollywood’s to blame a little bit here, because we’re watching movies in Hollywood inevitably…you know the hackers in their dark hat and with no lighting, underground, Lord knows where they find these places to hack from and they are attacking directly through.

You see a bunch of text go across the screen and they penetrate through the first firewall, through the second firewall in into the data. That’s not how it works at all.

That’s ridiculous. It’s absurd.


It makes for interesting cinema, just like the red code/green code in CSI Cyber, but it’s not a reflection of reality and that’s a real challenge. Because a lot of people don’t have the experience of working with cybersecurity, working in cybersecurity, so their only perception is what they see either through media—you know TV, movies, books—or if they happen to run into somebody at in the industry. So there is an overwhelming amount of sort of information or misinformation.

Not even misinformation, just storytelling that tries to make it far more dramatic than it is. The reality is that cybercriminals are out for profit.

We know this time and time again—yes a bunch of nation-state stuff does happen but the vast majority of you are unaffected by it same with there’s

a massive amount of script-kiddie just sort of scanning random people with random tools that are just seeing what they can get away with that and

if you have solid, automated defenses that doesn’t really impact you.

What does impact you is the vast majority of organized cybercriminals who are out to make a profit. Trend Micro had a greatseries and continues to have a great series on the Underground, the Digital Underground that shows just how deep these profit motivations go.

This is very much a dark industry. And with that in mind we come back to the concept of lateral movement.


If an attacker breaches into your systems, whether they come in like a fourth of all attacks do via email whether they come in directly through a server compromise, which is about half of all breaches according to the Verizon data breach investigation report or one of the other methods that is commonly used…then they start to move around within your network.

That’s lateral movement.

We talk about north/south traffic with the network, which is basically inside the network to outside of the network, so out to the the internet and back. East/west is within the network itself. Most defenses, traditional defenses worry about that north/south traffic.

Not enough worry about the east/west and it’s breaking down finally. We are getting rid of this hard perimeter. “It’s mine, I defend everything inside” …and realizing that this is actually how cybercriminals work. Once they’re inside they move around. So we need to defend in-depth and have really great monitoring and protection tools within our networks because of this challenge of lateral movement.


Let me give you a little easier to digest analogy. Most of us in a home have a grocery list and maybe once a week—maybe twice–we head to the grocery store and we try to get everything we want off the list and then we come back. That just makes sense.

That’s how we do it. Right? You would never think of going, “Okay. Number one of the list is ketchup. I’m going to drive to the store to get ketchup. I’m going to buy it and I’m going to come back home.

I’m going to look at item number two. I need a loaf of bread. I’m going to drive back to the store. I’m going to buy a loaf of bread and I’m going to come back and we can go to item 3, and I’m going to go and I’m going to come back. I’m going to…” That’s just ridiculous, right? That’s absolutely absurd and cybercrimals agree.

Once they’ve driven to the store. They’re going to buy everything that they need and everything that they see as an opportunity, right? They are really susceptible to those end caps and impulse buys… and then they’re going to leave.

This is how they attack our organizations.

We know that, because of the average time to detect a breach is around 197 days right now and that stat has fluctuated maybe plus or minus 15 days for the last decade.

We also know that it takes almost three…it takes two and a half to three months actually contain a breach once you discover it and the reason for all of this is lateral movement.

Once you’re in as a cybercriminal, once you’ve made headway, once you gained a beachhead or a foothold within that network you’re going to do everything you can to expand it because it’s going to make you the most amount of money.


What do you think? Let us know in the comments below, hit us up on social @TrendMicro or you can reach me directly @marknca.

How are you handling lateral movement? How are you trying to reduce it? How are you looking for visibility across all of your systems?

Let’s continue this conversation because when we talk we all get better and more secure online.