Lateral Movement: How Attackers Expand Access After Initial Compromise

What Is Lateral Movement?

Enterprise networks have never been more interconnected – and attackers have never been more effective at exploiting those connections.  

Lateral movement refers to the techniques a cyberattacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. Once inside, the attacker pivots across the compromised environment, escalates privileges, and impersonates legitimate users with compromised credentials.

This tactic, which is present in nearly 70% of successful breaches according to IDC, allows adversaries to expand their initial foothold, maintain persistence, and gradually reach more systems and more valuable data. Unlike a "smash and go” opportunistic attack that stays confined to a single endpoint, lateral movement gives attackers the ability to operate methodically – often over weeks or months – while remaining hidden in plain sight. On average, attackers begin spreading within 48 minutes of initial access and remain undetected for more than 95 days.

In today’s breaches, the initial compromise is rarely the end goal. Attackers almost never land directly on the “crown jewels.” Instead, they rely on lateral movement to map the environment, harvest credentials, and escalate privileges until they reach the systems and data that matter most.

Recent high-profile incidents, including this year’s Anne Arundel Dermatology breach, which exposed data from 1.9 million patients, the $22 million Change Healthcare ransomware attack, and last year’s AT&T breach enabled through a third-party vendor and exposing Social Security numbers, show how quickly attackers can use lateral movement to expand an initial foothold into a broad, enterprise-wide compromise.  

This is the essence of lateral movement: adversaries embedding themselves deeper into enterprise environments by exploiting the same trusted tools and workflows enterprises depend on every day.  

The Stages of Lateral Movement

Lateral movement is not a single action but a sequence of steps that allow attackers to expand their access, escalate privileges, and persist inside an environment. While specific techniques vary, there are three main stages of lateral movement: reconnaissance, credential/privilege escalation, and gaining access to other machines in the network.

Reconnaissance

In the reconnaissance stage, the attacker surveys the environment to understand where they are, what resources exist, and which systems represent the most valuable targets. This includes identifying users, devices, and network structures, often by observing normal workflows and patterns of communication. The goal is to collect intelligence while blending in with normal IT activity.

Credential and Privilege Escalation

With situational awareness in place, attackers build on their initial foothold by gathering additional credentials and elevating privileges. While the first compromise typically grants limited access, this step enables them to impersonate higher-value users and extend their authority across the network. By operating with the permissions of trusted insiders, adversaries position themselves to reach more critical systems and applications.

Expansion and Persistence

With elevated privileges in place, the attacker moves into additional devices, applications, and data stores. Each successful pivot reinforces their position and increases the scope of compromise. Persistence is often maintained by creating new pathways for access, ensuring that even if part of the intrusion is detected, the adversary can remain embedded elsewhere in the environment. Over time, this expansion allows attackers to identify and reach the core systems and data that carry the greatest business impact. From there, they may deploy malware, exfiltrate sensitive data or disrupt critical systems.

Why Lateral Movement Is Hard to Detect

The challenge with lateral movement is that it rarely looks malicious. A password reset, a file transfer, or a login from a known account can all appear routine – even when they are part of an active attack.  

Once attackers gain administrative privileges, they are very difficult to spot. Their activity looks like normal network traffic, and because adversaries now blend human decision-making with AI-driven tools, they can adapt tactics in real time as they learn more about the environment. By using built-in system functions rather than external malware, their movements are almost indistinguishable from the work of legitimate IT staff.

Defending Against Lateral Movement

To defend against lateral movement, users play a critical role. Simple habits can make the difference between containing an intrusion early or allowing it to spread:

• Report strange logins, unexpected access requests, or unusual system behavior immediately.
• Only access the systems required for your role.
• Never share credentials, and always use multi-factor authentication.
• Stay alert: don’t disable security tools or ignore warnings.

Attackers hide in plain sight as they move laterally – users are key to stopping their spread. A single alert user can contain what would otherwise become an enterprise-wide breach.

At the organizational level, CISOs must move beyond perimeter defenses and static training. Visibility and simulations must extend into the full spectrum of channels attackers exploit – collaboration, mobile, and encrypted messaging. Measuring user risk in real time and applying personalized remediations gives security teams the visibility and control needed to cut off attacker pivots before they escalate into systemic compromise.

At Dune Security, we help enterprises identify where user risk lives, simulate how it spreads, and contain it before it escalates into systemic compromise.  

In an environment where attackers can quietly persist for weeks or months, the organizations that stay resilient will be those that act proactively at the user layer – where lateral movement begins.