Already Inside. Already Invisible.
The perimeter held.
The firewall blocked the port scan. The email gateway quarantined the phishing attempt. The WAF rejected the injection payload. Every perimeter control did exactly what it was designed to do.
Then the attacker tried a different door — a contractor’s VPN credentials purchased for $85 on a dark web marketplace. Valid username. Valid password. MFA prompt sent to a phone number that hadn’t been active in seven months.
After three tries, the attacker moved on and found a service account. One that was created during a system migration eighteen months ago, never deprovisioned, with a password that hadn’t been rotated since the previous IT manager left. No MFA. Broad network access. Logged in without a single alert firing.
That was day one.
By day thirty-four, the attacker had touched forty-one systems, accessed three file servers containing sensitive financial data, obtained domain administrator credentials, and established persistence in four separate locations — all while every perimeter dashboard reported green.
The perimeter never failed. The interior was wide open.
This is the defining reality of modern enterprise breaches: organizations have invested enormously in stopping attackers from getting in. They have invested almost nothing in stopping attackers from moving freely once they’re inside.
The Interior Is Where Breaches Actually Happen
The initial compromise is rarely the damaging event. It’s the starting point.
What makes a breach catastrophic — the full data exfiltration, the ransomware across 400 systems, the complete domain compromise — is what happens after initial access. The lateral movement from the entry point to the crown jewels. The privilege escalation from a low-value account to domain admin. The persistence mechanisms that survive credential resets and system reimaging.
This is the interior of your network. And in most enterprise environments, it is governed by an implicit assumption that has not been true for years: that anything inside the perimeter can be trusted.
The numbers confirm where the real damage occurs:
- $4.88 million is the average breach cost — but breaches that achieve lateral movement to sensitive data cost 38% more than those contained at initial access — IBM 2024
- 94% of attackers who achieve initial access successfully move laterally to at least one additional system — CrowdStrike Global Threat Report 2024
- The average attacker spends 88% of their total dwell time operating inside the network after initial access, before detection — Mandiant M-Trends
- Organizations with network segmentation reduce breach costs by an average of $675,000 compared to flat network architectures — IBM
The perimeter is the first line of defense. The interior is where every breach is actually won or lost.
How Lateral Movement Works — Step by Step
Understanding how attackers move inside your network isn’t academic. It’s the prerequisite for building interior defenses that actually interrupt their progress. Here’s the playbook, step by step — the same sequence that appears in post-incident reports from breaches across every industry.
Step 1: Establish a Foothold and Understand the Terrain
Initial access lands the attacker somewhere — a compromised endpoint, a misconfigured cloud service, an overprivileged service account. The first priority is reconnaissance: understanding the environment they’re in before moving through it.
Using legitimate built-in tools — net commands, PowerShell, nltest, BloodHound — attackers map the Active Directory environment, identify privileged accounts, locate high-value file shares, and chart the network topology. This reconnaissance is largely invisible to detection systems because it uses the same tools that administrators use daily for the same purposes.
In a well-documented technique, BloodHound — a legitimate AD auditing tool that is also a favorite of attackers — can map the shortest path from any compromised account to domain administrator in seconds. It doesn’t exploit a vulnerability. It reads Active Directory data that’s already accessible to any authenticated user.
The attacker’s internal reconnaissance is done using your own tools, reading your own data, looking completely authorized the entire time.
Step 2: Harvest Credentials to Extend Access
Movement requires access. Access requires credentials. Credential harvesting — extracting passwords, hashes, tokens, and tickets from memory and disk — is the fuel that powers lateral movement.
The most widely used techniques:
LSASS Memory Dumping — The Windows Local Security Authority Subsystem Service holds credential material in memory. Tools that read LSASS memory — historically Mimikatz, now more commonly LOLBins like comsvcs.dll via Task Manager — extract plaintext passwords, NTLM hashes, and Kerberos tickets for any user who has authenticated on that system. If a domain administrator logged into the compromised workstation at any point, their credentials are likely retrievable.
Kerberoasting — Any authenticated domain user can request Kerberos service tickets for service principal names. Those tickets are encrypted with the service account’s password hash. Offline brute-force cracking against the ticket — no lockout policy applies, because no authentication attempt is made — recovers the service account password. Service accounts with weak passwords crack in hours. Service accounts with never-expiring passwords and broad network access are the primary target.
Pass-the-Hash / Pass-the-Ticket — Attackers don’t always need to crack credentials. NTLM hashes and Kerberos tickets can often be used directly to authenticate to remote systems — no plaintext password required. A hash extracted from one system authenticates to any system where that account has access.
Each credential harvested expands the attacker’s reach. One compromised workstation becomes ten systems. Ten systems become domain admin.
Step 3: Move Laterally Using Legitimate Protocols
With credentials in hand, movement begins. And it uses the same protocols your legitimate operations rely on every day.
SMB (Server Message Block) — Used for file sharing and remote administration. Tools like PsExec and WMIExec use SMB to execute commands on remote systems. An attacker with valid credentials and network access to a target system can move to it via SMB — and generate log entries indistinguishable from legitimate IT administration.
WMI (Windows Management Instrumentation) — Used by administrators for remote system management. Attackers use it for the same purpose: executing commands, collecting system information, and establishing persistence on remote systems. WMI is native to every Windows system. It generates minimal logging by default. It is consistently abused precisely because of both facts.
RDP (Remote Desktop Protocol) — Legitimate remote access protocol. With valid credentials, attackers use RDP to interactively access systems — browsing file systems, accessing applications, and operating with full user-level visibility. RDP sessions can be difficult to distinguish from legitimate remote work in environments where RDP is commonly used.
Cloud API Calls — In cloud environments, lateral movement looks entirely different but operates on the same principle. A compromised IAM role makes API calls to discover other resources, access S3 buckets, invoke Lambda functions, or assume higher-privilege roles. Every call is authenticated. Every call is logged. None of them look wrong individually.
The common thread across all of these: legitimate credentials, legitimate protocols, legitimate-looking behavior. Your perimeter controls don’t see it. Your detection rules weren’t written for it. Your network lets it through because it looks like normal traffic.
Step 4: Escalate Privileges to Reach the Crown Jewels
Lateral movement without privilege escalation limits the attacker to what their initial compromised account can access. The objective is always to escalate — to gain the level of access required to reach the highest-value targets.
In Active Directory environments, domain administrator is the terminal objective. DA access provides unrestricted access to every system in the domain, the ability to create backdoor accounts, and the ability to export the entire directory database — giving the attacker credentials for every account in the organization.
Common escalation paths:
- Over-permissioned service accounts — Service accounts with domain admin privileges (a common misconfiguration) provide immediate escalation to any attacker who compromises them
- GPO abuse — Accounts with permission to modify Group Policy Objects can push malicious configurations to every system in a GPO scope — silently, using a legitimate administrative mechanism
- ACL exploitation — Misconfigured Access Control Lists on AD objects can allow low-privilege accounts to reset passwords for high-privilege accounts, add members to privileged groups, or take ownership of sensitive objects
- Token impersonation — In Windows environments, certain privilege levels allow an attacker to impersonate the security tokens of other logged-in users — including domain administrators currently active on the same system
In cloud environments, the escalation path is through IAM: a compromised low-privilege role that can assume a higher-privilege role, a Lambda function with permissions far exceeding its operational requirements, a developer credential with production access that was never scoped down.
Step 5: Establish Persistence to Survive Detection
The sophisticated attacker doesn’t bet everything on remaining undetected forever. They establish multiple persistence mechanisms so that when one access path is discovered and closed, others remain open.
Common persistence techniques:
- New local or domain accounts created with inconspicuous names that blend into existing account lists
- Scheduled tasks and services configured to re-establish access on a regular cadence
- Registry run keys that execute attacker-controlled code on system startup
- Web shells installed on internet-facing web servers — providing a persistent backdoor that survives credential resets
- Golden and Silver Tickets — forged Kerberos tickets that provide persistent authentication capability even after the compromised account password is changed, because they’re signed with the domain’s krbtgt hash rather than the account’s own credentials
A Golden Ticket forged with the domain’s krbtgt hash is valid until the krbtgt password is rotated — a process most organizations have never performed, meaning the ticket may be permanently valid.
Once an attacker has established multiple persistence mechanisms, evicting them completely requires a coordinated, simultaneous response across every affected system — or they simply return through the persistence mechanism that survived the incomplete remediation.
Why Your Controls Aren’t Seeing It
Everything described above is happening in environments with enterprise-grade security tooling deployed and operational. The controls aren’t absent. They’re just not positioned to stop interior movement.
Flat network architecture allows any system to reach any other system on the same segment. In a flat network, a compromised user workstation has the same network access as an administrative server — not because anyone decided that’s appropriate, but because nobody decided otherwise. The default is permissive. Network segmentation requires deliberate design.
Implicit internal trust is the inherited assumption that systems inside the perimeter are safe to communicate with each other freely. Firewall rules are written to control north-south traffic — in from the internet, out to the internet. East-west traffic — between internal systems — often travels unrestricted. The attacker moves through it like there’s no friction, because there isn’t.
Monitoring gaps on internal traffic mean that lateral movement via SMB, WMI, and RDP between internal systems generates log entries that often go unreviewed. VPC Flow Logs aren’t always enabled. Internal network traffic isn’t always sent to the SIEM. Detection rules optimized for external threats don’t fire on internal movement that uses valid credentials.
Credential hygiene failures — service accounts with non-expiring passwords, domain admin accounts used for daily operations, shared local administrator credentials across hundreds of endpoints — give attackers credential material that moves them freely through the environment without any exploitation required.
Building an Interior That Fights Back
The perimeter matters. But the interior is where breaches are decided. Here’s what organizations that successfully contain lateral movement do differently.
Segment the Network Like the Perimeter Doesn’t Exist
Network segmentation is the single highest-impact structural change for limiting lateral movement. It forces attackers to cross controlled boundaries between segments — creating choke points where detection and blocking can occur — rather than moving freely through a flat architecture.
Effective segmentation means:
- Production systems isolated from development and test environments
- User workstations unable to reach servers directly — traffic routed through controlled inspection points
- High-value targets (domain controllers, financial systems, data repositories) in dedicated segments with strict ingress rules
- Lateral movement between segments requires explicit authentication and generates distinct, monitorable traffic
Micro-segmentation — available through platforms like VMware NSX, Illumio, and Zscaler Private Access — extends this principle to individual workloads, making east-west movement between even adjacent systems subject to explicit policy enforcement.
In a properly segmented environment, a compromised workstation cannot reach a domain controller, cannot access a file server, and cannot communicate with systems in adjacent business units — without crossing a monitored, policy-enforced boundary. The attacker’s movement slows dramatically. Their footprint becomes visible.
Treat Credentials as the Primary Attack Surface
If lateral movement runs on credentials, credential hygiene is lateral movement defense.
Privileged Access Workstations (PAWs) — dedicated, hardened systems used exclusively for privileged administrative tasks — prevent domain admin credentials from touching internet-connected workstations where they can be harvested.
Local Administrator Password Solution (LAPS) randomizes local administrator passwords on every Windows endpoint — eliminating the shared local admin credential that allows pass-the-hash attacks to move laterally across hundreds of systems simultaneously.
Tiered administration models separate domain administration from workstation administration from server administration — ensuring that a compromised workstation credential doesn’t provide a path to domain admin, and a compromised server credential doesn’t provide a path to the domain controller.
Service account governance — inventorying every service account, documenting its purpose and owner, right-sizing its permissions, enabling auditing, and rotating its credentials on a defined schedule — eliminates the forgotten, overprivileged service accounts that are among the most commonly exploited lateral movement vehicles.
Monitor East-West Traffic With Behavioral Baselines
Interior movement is invisible only when interior traffic isn’t monitored. Building monitoring coverage for east-west traffic — with behavioral baselines that distinguish normal administrative activity from attacker movement — turns the interior from a safe zone into a detection environment.
Network Detection and Response (NDR) platforms — Darktrace, ExtraHop, Vectra AI — analyze east-west traffic patterns and establish behavioral baselines for normal internal communication. When a workstation that has never communicated with the domain controller begins making LDAP queries at 2am, or when a service account begins making SMB connections to file servers outside its operational scope, the deviation from baseline generates an alert.
This is the detection capability that catches lateral movement — not at the perimeter, where it doesn’t happen, but inside the network, where it does.
Implement Privileged Access Management
Not every account needs to reach every system. Privileged Access Management (PAM) platforms — CyberArk, BeyondTrust, Delinea — enforce just-in-time access: privileged credentials are issued for a specific session, for a specific system, for a specific duration. They’re rotated after every use. They cannot be extracted from memory for reuse on other systems.
In a PAM-controlled environment, Kerberoasting yields service account credentials that expire within hours. Pass-the-hash yields a credential that is already invalid by the time it’s used. The credential harvesting techniques that fuel lateral movement are defanged — not by preventing the harvest, but by ensuring the harvested credential is worthless by the time the attacker tries to use it.
Your 60-Day Interior Security Quick Start
You don’t need to rebuild your network architecture overnight. Start with the changes that impose the most friction on attacker movement in the shortest time.
Week 1–2: Credential hygiene sprint Deploy LAPS across all Windows endpoints — eliminates shared local admin credentials across your entire endpoint fleet. Audit service accounts: identify every account with domain admin privileges that doesn’t require it and remove those privileges immediately. Enforce MFA on every VPN, RDP, and cloud console access point — no exceptions.
Week 3–4: Visibility into east-west traffic Enable VPC Flow Logs across all cloud environments if not already active. Route internal network flow data to your SIEM. Even without behavioral baselines yet, having the data available for investigation is a meaningful improvement over having no visibility at all.
Week 5–8: Segment your highest-value targets Identify your three most critical asset groups — domain controllers, financial systems, sensitive data repositories. Implement network segmentation rules that restrict which systems can initiate connections to them. This doesn’t require a full network redesign — targeted segmentation around your crown jewels delivers disproportionate protection against the most damaging lateral movement scenarios.
Target outcome: Shared local admin credentials eliminated. MFA enforced on all remote access. East-west traffic visible to your SIEM. Crown jewel systems segmented from general user network access.
The Bottom Line
Your perimeter is stronger than it has ever been. Attackers know that. They’re not trying to break through it — they’re going around it, under it, or through a credential that someone on your team forgot was still active.
Once inside, they move freely through interior architectures designed for trust, not defense. They use your own tools. They authenticate with legitimate credentials. They move through protocols your monitoring wasn’t built to watch.
The assumption that the interior is safe because the perimeter held is the most expensive assumption in enterprise security.
The organizations that contain lateral movement — that turn a single compromised endpoint into a contained incident rather than a domain-wide catastrophe — share one characteristic: they stopped treating the interior as a trusted zone and started treating it like hostile territory that needs to be monitored, segmented, and defended with the same rigor as the perimeter.
Your attacker is already thinking about your interior.
The question is whether your security architecture is.