What is lateral movement? In cybersecurity, lateral movement refers to the set of techniques an attacker uses to move through a network after gaining an initial foothold, expanding access from one compromised system to additional hosts, accounts, and services in search of higher privileges or valuable data. Unlike the initial breach—often a phished credential, an exposed service, or a vulnerable third-party dependency—lateral movement happens after the attacker is already inside, and it is frequently the longest phase of an intrusion, sometimes stretching on for weeks. Adversaries harvest credentials, abuse trust relationships between systems, and reuse legitimate administrative tools to blend in with normal traffic. For software supply chain attacks specifically, lateral movement is how a single compromised build server, CI/CD runner, or developer laptop turns into a full breach of source code, secrets, and production infrastructure. Understanding it matters because most breaches are caught during this phase, not at the point of initial entry.
What Is Lateral Movement, Exactly?
Lateral movement is the stage of an attack where an intruder, having already breached one system, uses that foothold to reach other systems on the same network without needing to re-exploit an external vulnerability each time. Security teams distinguish it from "initial access" (getting in) and "exfiltration" (getting data out): lateral movement is everything in between, when the attacker is mapping the environment, escalating privileges, and repositioning to reach a higher-value target such as a domain controller, a source code repository, or a database of customer records. It is rarely noisy by design. Attackers favor built-in administrative protocols—RDP, SMB, WinRM, SSH—over custom malware, because traffic that looks like routine IT administration is far less likely to trip an alert than a dropped executable. This is also why lateral movement is treated as its own tactic in threat modeling rather than folded into "hacking" generically: defending against it requires visibility into internal, east-west traffic, not just the perimeter.
How Do Attackers Actually Carry Out Lateral Movement Techniques?
Attackers carry out lateral movement techniques by chaining credential theft, remote code execution, and abuse of trust relationships to hop from system to system while resembling normal administrative activity. A typical chain starts with credential harvesting: dumping password hashes from memory with a tool like Mimikatz, extracting cached credentials from a compromised endpoint, or scraping plaintext secrets left in scripts, configuration files, or CI/CD environment variables. Those credentials are then reused via pass-the-hash or pass-the-ticket attacks, which let an attacker authenticate as a user without ever knowing their actual password, exploiting how Windows NTLM and Kerberos validate cached hash values rather than the password itself. From there, attackers execute code remotely using PsExec, WMI, or scheduled tasks—all legitimate Windows administration features—to run commands on newly reached hosts.
The real-world case that best illustrates the speed of this chain is the 2017 NotPetya attack against Maersk. After an initial compromise through a Ukrainian accounting software update, the malware combined the EternalBlue SMB exploit with a Mimikatz-based credential harvester to move across Maersk's internal network. Within roughly seven minutes, NotPetya had spread from a single infected machine to domain controllers and thousands of endpoints worldwide, encrypting them beyond recovery and costing the company an estimated $300 million. The incident remains a reference point for why lateral movement, not the initial exploit, is often what turns a contained incident into a catastrophic one.
Which MITRE ATT&CK Lateral Movement Techniques Show Up Most in Real Incidents?
MITRE ATT&CK catalogs lateral movement as its own tactic, TA0008, and a handful of its techniques account for the majority of real-world incidents. Remote Services (T1021)—particularly RDP, SMB/Windows Admin Shares, and SSH—is the most commonly observed technique because these protocols are already whitelisted on most corporate networks and rarely generate alerts on their own. Use of Alternate Authentication Material (T1550), which covers pass-the-hash and pass-the-ticket, is close behind, since it lets attackers skip password cracking entirely once they've dumped credential material. Exploitation of Remote Services (T1210) covers cases where the attacker doesn't even need valid credentials, instead exploiting an unpatched vulnerability in an internal service to jump hosts directly, as happened with EternalBlue in the NotPetya case above.
The SolarWinds/Sunburst campaign is a well-documented example of MITRE ATT&CK lateral movement techniques being used deliberately and patiently rather than for speed. After the trojanized Orion update gave APT29 a foothold inside victim networks, the group used valid, stolen credentials and T1021 remote services to move from the compromised Orion server to on-premises Active Directory and, in several cases, to cloud identity infrastructure, all while avoiding the kind of noisy exploitation that would trigger endpoint alerts. That patience—weeks of careful, credential-based movement—is precisely why the intrusion went undetected for months.
What Does Pivoting in a Network Actually Look Like in Practice?
Pivoting in a network is the specific technique of using a compromised host as a relay point to reach systems that the attacker cannot contact directly from their original position, typically by tunneling traffic through that intermediate machine. If an attacker compromises a workstation on a segmented VLAN, they can't necessarily route straight to the finance database on a separate segment—but if that workstation itself has a network interface or a trust relationship reaching that segment, the attacker can proxy their traffic through it. Common mechanics include SSH port forwarding, SOCKS proxies set up with tools like Chisel or Ligolo-ng, and abusing dual-homed servers that bridge otherwise isolated network zones.
The 2013 Target breach is the textbook example. Attackers first compromised credentials belonging to an HVAC vendor with remote access into Target's network for billing and contract management. That vendor access wasn't supposed to reach anything sensitive, but because the vendor's segment and the corporate network shared enough Active Directory and file-share trust, attackers were able to pivot from the HVAC access point into systems that ultimately touched the point-of-sale network, where they deployed memory-scraping malware and stole roughly 40 million payment card numbers. The lesson generalizes well beyond retail: pivoting succeeds wherever network segmentation is assumed but not actually enforced.
How Can Security Teams Achieve Attacker Lateral Movement Detection Before Damage Spreads?
Effective attacker lateral movement detection depends on correlating identity, network, and endpoint signals to catch behavior that looks unremarkable in isolation but anomalous in aggregate. A single RDP login is normal; a service account that has never touched more than two hosts suddenly authenticating to twelve servers in an hour is not. Practically, this means deploying endpoint detection and response (EDR) tooling that flags credential-dumping behavior and unusual parent-child process relationships (like a Word document spawning PowerShell that spawns PsExec), pairing it with user and entity behavior analytics (UEBA) that baseline normal authentication patterns per account, and monitoring east-west network traffic with tools like Zeek or NetFlow analysis to spot unexpected SMB, WinRM, or RDP sessions between hosts that don't typically talk to each other.
Honeytokens and decoy credentials are also effective—planting a fake privileged account that no legitimate process should ever use means any authentication attempt against it is a near-certain sign of lateral movement in progress. Network segmentation, enforced with actual firewall rules rather than VLAN tagging alone, limits how far a successful pivot can travel even before detection kicks in. In CI/CD and build environments specifically, teams should watch for build agents or runners establishing outbound connections or authentication attempts to systems outside their normal, narrowly defined scope, since a compromised pipeline is one of the highest-value lateral movement launch points into source code and production credentials.
How Safeguard Helps
Software supply chain attacks are, structurally, lateral movement problems: an attacker compromises one dependency, one build runner, or one developer credential, and then needs to move from that toehold into source code, artifact registries, and production. Safeguard is built around cutting off that path rather than just hardening the perimeter around it. Safeguard maps trust relationships across your build and release pipeline—CI/CD runners, package registries, signing infrastructure, and third-party dependencies—so that when one component is compromised, the blast radius it can reach laterally is visible and constrained, not implicit and unlimited.
Concretely, Safeguard monitors CI/CD environments for the exact behaviors that precede lateral movement: unexpected outbound connections from build agents, credential or secret access patterns that deviate from a pipeline's normal profile, and dependency or artifact changes that don't match verified provenance. By generating and verifying SBOMs and build attestations, Safeguard makes it possible to catch a tampered dependency or a rogue build step before it becomes the pivot point that lets an attacker jump from your supply chain into your production environment. Combined with least-privilege recommendations for pipeline credentials and isolation boundaries between build stages, Safeguard shrinks the surface an attacker can use for lateral movement in the first place, and gives security teams the telemetry to catch it fast when it happens anyway.