What is lateral movement in cybersecurity?

Lateral movement refers to the techniques attackers use to move through a network after gaining an initial foothold, seeking to access additional assets or sensitive data. Common methods include privilege escalation and leveraging network connectivity to reach critical systems.

What are common techniques attackers use for lateral movement?

Common lateral movement techniques include Access Token Manipulation, Pass the Hash, Kerberoasting, and LLMNR Poisoning. Each technique exploits different aspects of authentication and network protocols to escalate privileges or impersonate users. (Source: MITRE ATT&CK)

How does Access Token Manipulation work?

Access Token Manipulation involves changing the security context of a running process to impersonate another user, often an administrator. This allows attackers to execute actions with elevated privileges. Administrators should use access tokens securely, for example, by running tools with 'runas' rather than logging in as an admin. (MITRE ATT&CK T1134)

What is Pass the Hash and how can it be prevented?

Pass the Hash is a technique where attackers use stolen password hashes to authenticate as a user without knowing the cleartext password, bypassing standard authentication. Preventing Pass the Hash involves strong password policies, limiting credential exposure, and using multi-factor authentication. (MITRE ATT&CK T1550.002)

What is Kerberoasting and why is it a threat?

Kerberoasting is an attack where adversaries abuse Kerberos ticket-granting service (TGS) tickets to brute-force service account passwords offline. This can lead to privilege escalation if weak passwords are used. (MITRE ATT&CK T1558.003)

How does LLMNR Poisoning facilitate lateral movement?

LLMNR Poisoning allows attackers to respond to network name resolution requests, tricking systems into sending authentication data to adversary-controlled machines. This can be used to collect or relay credentials for further lateral movement. (MITRE ATT&CK T1557.001)

What foundational steps should be taken for privileged access management (PAM) and IAM?

Key steps include defining program scope, establishing policies, conducting risk assessments, enforcing least privilege, implementing multi-factor authentication, monitoring activities, conducting regular training, and reviewing the program regularly. These steps help protect critical assets and reduce lateral movement risk.

How can network segmentation help prevent lateral movement?

Network segmentation divides the network into smaller segments with specific access controls, limiting attackers' ability to move laterally. Steps include identifying critical assets, designing a segmentation plan, implementing access controls, monitoring, and regular employee training.

What role does SIEM play in network segmentation and lateral movement defense?

Security Information and Event Management (SIEM) tools provide visibility into network activity, helping detect and respond to potential lateral movement attempts. Integrating SIEM with segmentation policies enhances threat detection and incident response.

How can organizations validate their lateral movement defenses?

Organizations can validate their defenses using automated lateral movement testing tools like Cymulate Continuous Automated Red Teaming (CART) with the Hopper module, which simulates attacker behavior to identify weaknesses in segmentation and IAM controls.

Where can I learn more about preventing lateral movement attacks?

You can read Cymulate's blog post 'Stopping Attackers in Their Tracks' for an in-depth discussion of lateral movement techniques and prevention strategies at this link.

What was the root cause of a lateral movement vulnerability identified by Cymulate for a shipping company?

The root cause was that the company’s local admin credentials were very similar, allowing the Cymulate agent to move laterally across the network. (Source: Customer Story - Weak Segmentation, Wide Access)

Does Cymulate offer resources on mitigating lateral movement techniques used by attackers?

Yes, Cymulate provides a blog post that examines common lateral movement techniques and offers insights on hardening defenses using IAM and network segmentation. Read more at our blog.

How does Cymulate's Hopper module help with lateral movement validation?

The Hopper module in Cymulate's Continuous Automated Red Teaming (CART) simulates an attacker who has gained an initial foothold and attempts lateral movement, helping organizations identify and remediate weaknesses in their network segmentation and IAM controls.

What are the benefits of regular employee training for lateral movement defense?

Regular training ensures employees understand access control policies, recognize phishing attempts, and report suspicious activity, all of which are critical for maintaining effective lateral movement defenses.

How does Cymulate Exposure Validation support lateral movement defense?

Cymulate Exposure Validation enables advanced security testing, including custom attack chains, to assess and strengthen defenses against lateral movement. It provides actionable insights for hardening IAM and network segmentation controls. (Learn more)

How can organizations monitor and maintain effective network segmentation?

Organizations should regularly audit segmentation policies, conduct vulnerability scans, perform penetration testing, and use SIEM tools to monitor network activity and ensure segmentation remains effective and up-to-date.

What features does Cymulate offer for exposure validation and lateral movement testing?

Cymulate offers automated attack simulations, custom attack chain building, Continuous Automated Red Teaming (CART) with the Hopper module, and a comprehensive threat library to validate defenses against lateral movement and other attack techniques. (Platform details)

How does Cymulate integrate with other security technologies?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit our Partnerships and Integrations page.

What are the key capabilities of Cymulate's platform?

Key capabilities include continuous threat validation, unified BAS and CART, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. (Platform)

How easy is Cymulate to implement and use?

Cymulate is designed for quick, agentless deployment with minimal resources required. Customers report that implementation is straightforward and the platform is intuitive, with support and educational resources available. (Source: Customer testimonials, Schedule a demo)

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface, user-friendly dashboard, and actionable insights. Testimonials highlight its ease of implementation and the value of its support team. (Source: Customer quotes)

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating robust security and compliance practices. (Source: Security at Cymulate)

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and a dedicated privacy and security team, including a DPO and CISO. (Source: Security at Cymulate)

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs, based on the chosen package, number of assets, and scenarios. For a quote, schedule a demo.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, Red Teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, and more. (Learn more)

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and Exposure Analytics, continuous threat validation, AI-powered optimization, ease of use, and proven customer outcomes such as a 52% reduction in critical exposures and 81% reduction in cyber risk. (See comparisons)

What are some real-world results achieved with Cymulate?

Customers have reported measurable outcomes, including an 81% reduction in cyber risk (Hertz Israel), a 52% reduction in critical exposures, and a 60% increase in team efficiency. (Case studies)

Where can I find Cymulate's blog, newsroom, and resource hub?

You can find the latest threats, research, and company news on our blog, newsroom, and resource hub.

How can I stay updated with Cymulate's latest news and research?

Stay informed by visiting Cymulate's blog for the latest threats and research, and the newsroom for media mentions and press releases.

Where can I find events and webinars hosted by Cymulate?

Information about live events and webinars is available on our Events & Webinars page.

Stopping Attackers in Their Tracks: Mitigating Lateral Movement with IAM and Network Segmentation

By: Renier Steyn

Last Updated: August 28, 2025

When attackers gain an initial foothold, their next step is propagating in the network toward the organization's crown jewels. To move laterally, the attacker must gain privileges and leverage network connectivity.

Attackers apply a number of proven techniques to achieve that goal of lateral movement. This blog highlights a few common techniques for lateral movement as well as recommendations to prevent attackers from using them to achieve their goals.

Access Token Manipulation

Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear to belong to someone other than the user who started the process. When this occurs, the process also takes on the security context associated with the new token. For Example, Microsoft promotes using access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command "runas".

For more information, see https://attack.mitre.org/techniques/T1134/

Pass the Hash

Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the authentication segment that uses the password hash.

For more information, see https://attack.mitre.org/techniques/T1550/002/

Kerberoasting

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force, a technique commonly used in kerberoasting.

Service principal names (SPNs) are used to identify each instance of a Windows service. To enable authentication, Kerberos requires SPNs to be associated with at least one service logon account (an account specifically tasked with running a service). Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).

Defending against Kerberoasting with lateral movement
More information, see https://attack.mitre.org/techniques/T1558/003/.

LLMNR Poisoning

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system. This activity may be used to collect or relay authentication materials.

For more information, see https://attack.mitre.org/techniques/T1557/001/

Robust IAM programs Management) programs, specifically PAM (Privileges Access Management) and network segmentation, are the foundations of lateral movement defense.

Here are some foundational recommendations for privileged access management (PAM) and identity and access management (IAM) programs in a large-scale enterprise:

Define the scope of the program: Determine the specific systems, applications, and data that the PAM and IAM programs will cover. Identify the critical assets that require the highest level of protection.
Establish policies and procedures: Develop policies and procedures that address access control, password management, authentication, and authorization. These policies should align with industry best practices and regulatory requirements.
Conduct a risk assessment: Conduct a comprehensive risk assessment to identify vulnerabilities and risks associated with privileged access and user access to enterprise systems and data.
Implement least privilege: Enforce the principle of least privilege by restricting access to only what is necessary for each user and application. Implement role-based access control (RBAC) to ensure users can access only the resources they need to perform their job functions.
Use multi-factor authentication (MFA): Implement MFA to provide an additional layer of security to protect against unauthorized access. MFA should be used for privileged users as well as regular users.
Implement monitoring and reporting: Implement real-time monitoring and reporting to detect and respond to suspicious activities. This includes monitoring user activity logs, access attempts, and system changes.
Conduct regular training and awareness: Educate employees on the importance of PAM and IAM and their role in ensuring the security of enterprise systems and data. Conduct regular training and awareness programs to ensure employees understand their responsibilities and are aware of the latest threats and vulnerabilities.
Regularly review and update the program: Conduct regular reviews of the PAM and IAM program to ensure it remains effective and aligns with the evolving threat landscape and changing business requirements.

By implementing these foundational recommendations, a large-scale enterprise can establish a strong PAM and IAM program to protect its critical assets and ensure the security of its systems and data.
A robust network segmentation plan can help protect your organization's critical assets from potential security threats by following these recommendations:

Identify Critical Assets: The first step in any network segmentation project is identifying the critical assets that need protection. This can include data centers, servers, applications, and other sensitive resources. Once you have identified these assets, you can create policies limiting access exclusively to authorized users.
Design a Segmentation Plan: After identifying the critical assets, the next step is to design a segmentation plan. This plan should divide the network into smaller, more manageable segments. Each segment should have its own security policies and controls, and access should be limited based on business needs.
Implement Access Controls: Once the segmentation plan is in place, it's essential to implement access controls to ensure that only authorized personnel can access each segment. This can include using firewalls, VLANs, and other security technologies to control access and enforce policies.
Monitor and Maintain Segmentation: Network segmentation is not a one-time project. Monitoring and maintaining segmentation regularly is essential to ensure that segmentation is still effective and up-to-date. This can include regular security audits, vulnerability scans, and penetration testing.
Use Security Information and Event Management (SIEM): SIEM tools can provide visibility into network activity, helping to detect potential security threats. Integrating SIEM into your network segmentation plan lets you quickly detect and respond to security incidents.
Train Employees: Lastly, it's crucial to train employees on network security best practices, including how to follow access control policies, avoid phishing attacks, and report any suspicious activity. Regular training can help ensure that everyone in the organization is on the same page when it comes to network security.

Validating the efficacy of those pre-emptive measures can be done by using automated lateral movement technologies such as Cymulate Continuous Automated Red Teaming (CART) with its Hopper module that simulates an attacker that has gained an initial foothold and moves laterally in search of any additional assets that can be compromised.

To learn more about testing for lateral movement, watch the webinar Building a Real Worm For Good.

Over the last decade, Renier progressed from junior security analyst to cybersecurity specialist to sales engineering. Today, he is the customer success team lead for Europe and Africa. His years of industry experience and deep understanding of the Cymulate products and services are invaluable to the success of each of his clients.

More about Author

Table of Contents

Access Token Manipulation Pass the Hash Kerberoasting LLMNR Poisoning

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

CVE-2026-32196: One-Click RCE via Windows Admin Center Control Flow Hijacking

Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security ResearcherRuben Enkaoua, Security Researcher Cymulate Research Labs identified a set of

Webinar

Cymulate Stories: A Fireside Chat with Morgan Street Holdings

Many organizations still manage cyber risk using reactive security practices that struggle to keep pace with today’s threat landscape. As

Watch Now