Lateral movement: how attackers move once inside

Lateral movement attack techniques explained: pass-the-hash, RDP hopping, credential reuse, and how to contain them with Zero Trust and microsegmentation.
IT engineer reviewing network activity in a European server room.

The breach rarely starts where the damage ends. An attacker lands on one laptop, one printer, one forgotten server, and then works sideways through the network until they reach something worth encrypting or stealing. That sideways journey is lateral movement, and it is the phase where a contained incident turns into a company-wide breach.

This guide is written for the attacker’s side of the story. It covers how adversaries actually move, pass-the-hash, RDP hopping, credential reuse, and why traditional firewalls watch the wrong direction. The defensive counterpart, detecting this traffic in real time, is covered separately in our guide to east-west traffic monitoring. Here, the focus is the playbook itself and how to design it out.

How attackers move laterally once they are inside

Lateral movement is the set of techniques attackers use to travel from their initial foothold to high-value systems, mostly by abusing valid credentials and built-in administrative tools rather than malware. The three most common methods are credential reuse, pass-the-hash, and Remote Desktop Protocol (RDP) hopping. Each blends with normal admin traffic, which is why perimeter firewalls miss it. Containing it requires controls inside the network, not just at the edge.

That is the short version. The rest of this guide unpacks how each technique works, how fast it happens, and where the architecture has to change.

Why the internal network is an attacker playground

Once initial access is achieved, the attacker’s first job is reconnaissance. They map internal hosts, enumerate shares, and work out who has rights to what. Most of this uses native operating system features, so it looks like ordinary administrative activity.

That camouflage is the point. North-south traffic, the flow in and out of the network, gets inspected by firewalls and web gateways. East-west traffic, server to server and device to application, usually does not. An attacker who stays internal can move toward the data they want without tripping a single perimeter control.

The time pressure is real, and it is widening. According to Mandiant’s M-Trends 2026 report, the global median dwell time, the gap between intrusion and detection, has risen to 14 days. For cyberespionage incidents specifically, Mandiant puts the median at 122 days. That is months of undetected internal movement in the worst cases.

How fast attackers reach Active Directory

Domain dominance is the goal, and it comes quickly. Research in the Sophos Active Adversary Report 2025 found that attackers take a median of just 11 hours between initial activity and their first attempt to compromise Active Directory.

Active Directory is the prize because it holds the keys to the whole estate. Control the directory, and you control authentication for every user and system that trusts it. From there, an attacker can grant themselves access, disable defences, and stage ransomware across the network at once.

Eleven hours is not enough time for manual response. By the time an alert is triaged and a ticket is raised, the attacker may already be probing the directory. This is why containment has to be built into the network’s design, not bolted on as an afterthought reaction. The faster path is to make the moves impossible, not to chase them.

The route to the directory usually runs through the techniques covered below. An attacker reuses a harvested credential to reach a server that talks to Active Directory, replays a captured hash to authenticate as a privileged account, or hops via RDP onto a machine an administrator uses. None of it requires a new exploit. It requires a flat network that lets one foothold reach the authentication core.

How RDP and stolen credentials drive lateral movement

RDP and valid credentials are the workhorses of internal movement. The Sophos Active Adversary Report 2025 found RDP involved in 84% of the managed detection and response cases it analysed, making it the most abused legitimate admin function for moving between hosts.

The reason is simple. RDP is a native, trusted tool that IT teams use every day, so an attacker using it blends straight into normal traffic. It also hands them an interactive graphical session on the target host, which is far easier to work with than a command line.

Credentials are the other half of the pattern. The same Sophos research found that in 56% of breaches, attackers gained entry by exploiting external remote services using legitimate, compromised logins. That mirrors the Verizon Data Breach Investigations Report 2025, which attributes 44.7% of confirmed breaches to the use of stolen credentials. No exploit, no malware, just a valid login reused where it should never have worked.

The practical control is to stop treating RDP as a network-level service. Restricting RDP to dedicated administrative endpoints, behind identity verification rather than an open port, removes the easy host-to-host hop. Our deeper walkthrough of RDP security in 2026 covers how to do this without blocking the teams that legitimately need it.

Why unmanaged devices are the pivot points everyone forgets

Printers, IP cameras, and ageing industrial systems cannot run security agents. That makes them invisible to endpoint detection, and invisible is exactly what an attacker wants. These devices sit on the network unmonitored, which turns them into quiet launchpads for further movement.

Most security advice assumes every endpoint can carry a detection agent. In the mid-market that assumption breaks immediately. A three-person IT team cannot install software on a label printer or a twelve-year-old PLC, and the vendor often forbids it anyway. So these assets stay on a flat network, reachable by anything in the same segment.

These are not edge cases. They are the printers in every corridor, the cameras above every door, the sensors on every production line. An attacker who compromises one of them inherits a foothold that no endpoint tool is watching, and from there the same credential-reuse and RDP techniques apply as they would from any other host.

The fix is not an agent. It is network-level isolation that restricts each device to a short list of pre-authorised destinations. If a compromised camera can only talk to the one server it actually needs, it cannot be used to scan the rest of the network. This is where agentless isolation, such as Jimber’s NIAC hardware acting as an IT-OT bridge, closes a gap most platforms leave open.

How microsegmentation breaks the lateral path

Flat networks are the enabler. A traditional perimeter does nothing once an endpoint inside it is compromised, because static VLANs give everything in a segment broad reach to everything else. The attacker who lands anywhere can explore everywhere.

Microsegmentation flips the default from allow to deny. Instead of grouping devices into wide zones, it verifies identity and device health continuously and grants each connection only the specific path it needs. A compromised device stays boxed in, so the blast radius shrinks to one host instead of one network.

There is a practical caveat worth being honest about. Switching on strict segmentation overnight can break legitimate workflows and bury a small IT team in helpdesk tickets. The sensible approach is to roll new rules out in monitor mode first, map the real traffic and device behaviour without blocking anything, resolve the false positives, then enforce. Our guide to identity-based network segmentation walks through that transition from VLANs to identity-based isolation.

How Zero Trust Network Access removes the path entirely

Microsegmentation contains movement. ZTNA prevents it by design. Platforms like Jimber use Zero Trust Network Access to give users a direct, application-specific connection instead of dropping them onto the internal network the way a VPN does.

The difference matters for an attacker. With a VPN, one set of stolen credentials buys network-level access, and from there the attacker can scan and reach whatever the segment allows. With ZTNA, the same credentials reach one named application and nothing else. The rest of the network is not just blocked, it is invisible, because there was never a network connection to scan in the first place.

Device posture adds a second gate. Before access is granted, the platform checks identity and device health, so a compromised or non-compliant machine fails the check before it reaches anything. This is the model that retires the trust assumptions baked into legacy VPN architecture. For the full picture, see our pillar guide on Zero Trust architecture and how to implement it.

One honest limit. Network isolation and ZTNA drastically cut an attacker’s freedom, but they are not absolute if the attacker holds the legitimate credentials of a full-rights Active Directory administrator. If an account is authorised to reach everything, the network treats its actions as legitimate. Network controls have to sit alongside strict credential hygiene and multi-factor authentication, not replace them.

What this means in the Belgian context

The pressure is local, not abstract. The Sophos and Mandiant data describes the global pattern, but Belgian organisations are feeling it directly. The KPMG Cyber Survey Belgium 2025 found that half of Belgian organisations report a rise in cyberattacks, and 16% suffered a successful, disruptive breach in the past year. The same survey found 38% confirmed an attack on one of their suppliers.

The volume is visible at national level too. The Centre for Cybersecurity Belgium recorded 635 incident notifications, an increase of roughly 70% year on year.

Compliance has caught up with this reality. The Belgian CyberFundamentals (CyFun) verification deadline of 18 April 2026 has passed, and in-scope organisations now have to present verifiable proof of active network segmentation and lateral-movement controls, not paper policies. Documented microsegmentation and continuous posture checks are the kind of evidence a NIS2 or CyFun audit expects. A consolidated platform that logs every posture check and segmentation decision turns that audit preparation from a scramble into an export.

The cost of getting it wrong is well documented. The IBM Cost of a Data Breach Report 2025 puts the average breach at $4.44 million and the average time to identify and contain one at 241 days. The same report found organisations using a Zero Trust architecture saved an average of $1.76 million per breach.

For a mid-market IT team of two or three people, the appeal is not just the security model but the operational shape of it. Running ZTNA, segmentation, web filtering, and agentless device isolation from a single console, rather than four, is the difference between a defence you can actually maintain and one that exists only on the architecture diagram. If you want to see where your lateral paths are today, book a Jimber demo and we will walk through your network with you.

Frequently asked questions about lateral movement

What is the difference between lateral movement and privilege escalation?

Lateral movement is horizontal travel across systems using access rights the attacker already holds. Privilege escalation is vertical, gaining higher or administrative authority. Attackers usually combine both, moving sideways and escalating until they reach high-value assets.

How does a pass-the-hash attack bypass standard authentication?

Pass-the-hash lets an attacker authenticate to a remote system by replaying a captured password hash, with no need for the plaintext password. It abuses authentication protocols that accept the hash directly as proof of identity, sidestepping the login process entirely.

Why is RDP the primary tool for lateral movement?

RDP is a native administrative tool relied on across enterprise networks, so attacker activity blends into legitimate admin traffic. Without strict access controls, it gives threat actors an easy interactive graphical session on remote hosts, which is far simpler to operate than a command line.

How do attackers exploit unmanaged devices to pivot?

Printers, IP cameras, and industrial controllers cannot run security agents, leaving them invisible to endpoint detection. Attackers compromise these devices and use them as persistent, unmonitored bases to scan the internal network and stage further movement undetected.

Can browser isolation prevent lateral movement?

Yes, by stopping the initial infection. Browser isolation runs active web content in a secure cloud container and streams only a safe visual representation to the device. That prevents drive-by downloads and browser exploits from compromising the host, removing the foothold that lateral movement depends on.

Does Zero Trust stop an attacker who has admin credentials?

Not entirely. If an attacker holds the legitimate credentials of a full-rights administrator, the network treats their actions as authorised. Zero Trust and segmentation limit most movement, but they must be paired with strict credential management and multi-factor authentication to close this gap.

Find out how we can protect your business

In our demo call we’ll show you how our technology works and how it can help you secure your data from cyber threats.

Cybersecurity
Are you an integrator or distributor?

Need an affordable cybersecurity solution for your customers?

We’d love to help you get your customers on board.

checkmark

White glove onboarding

checkmark

Team trainings

checkmark

Dedicated customer service rep

checkmark

Invoices for each client

checkmark

Security and Privacy guaranteed