How Attackers Move Inside a Network (And Why It’s Hard to Detect)
Much of the focus in cybersecurity is placed on preventing initial access.
But what happens after an attacker gains entry is often more impactful.
The Attack Lifecycle
Once inside a network, attackers typically follow a sequence:
- Establish persistence
- Gather information
- Move laterally
- Escalate privileges
- Achieve objectives
Each step builds on the previous one.
Why Movement Is Difficult to Detect
Unlike initial access, which may involve external indicators, internal movement often uses legitimate tools and credentials.
Examples include:
- Remote desktop access
- Administrative utilities
- Scripting tools
Because these tools are part of normal operations, distinguishing malicious activity becomes more complex.
Behavior Over Signatures
Traditional detection methods rely on identifying known threats.
However, internal movement often does not involve known malware.
Instead, detection depends on recognizing unusual behavior patterns.
This may include:
- Logins from unexpected locations
- Access outside normal hours
- Changes in user activity
Correlation Is Key
Individual events may appear harmless.
But when viewed together, they can reveal a pattern.
For example:
- A login from a new location
- Followed by access to multiple systems
- Followed by privilege escalation
Correlation across systems is essential for identifying these patterns.
Why Context Matters
Understanding what is “normal” for an environment is critical.
Without this context, it becomes difficult to identify anomalies.
Effective detection requires:
- Baseline behavior
- Continuous monitoring
- Investigation of deviations
Early Detection Reduces Impact
The earlier movement is detected, the easier it is to contain.
Delays allow attackers to expand their access and increase impact.
This reinforces the importance of:
- Visibility
- Analysis
- Timely response
