Start Free Trial
Start Free Trial
Introspectus

Sleigh-Ride Lateral Movement: How Attackers Travel After Initial Compromise

Executive Summary

Once attackers breach the initial defences, their goal shifts to exploration, privilege escalation and control. This phase, known as lateral movement, allows them to spread through systems like Santa visiting every chimney in a network. During the Christmas period, reduced staffing and delayed response times make it easier for attackers to move quietly between servers, endpoints and cloud environments. Executives should understand that a single compromised workstation can quickly become a full-scale incident if lateral movement isn’t contained.

How the Attack Works

After gaining an initial foothold, attackers use legitimate administrative tools and stolen credentials to expand their access. Common techniques include exploiting weak service accounts, reusing cached passwords, and leveraging tools like PowerShell, PsExec, or Remote Desktop Protocol (RDP). Attackers often disguise their activity as normal administrative behaviour to avoid detection.

The process typically unfolds in four stages:

  1. Credential Harvesting – Extracting cached or stored credentials from memory, password vaults or compromised systems.
  2. Privilege Escalation – Exploiting vulnerabilities or misconfigurations to gain higher-level access.
  3. Lateral Movement – Using remote tools to connect to additional systems and deploy malware or reconnaissance utilities.
  4. Persistence – Establishing hidden accounts or scheduled tasks to maintain control over the environment.
Without strong administrative control, attackers can move laterally across departments, reaching critical assets such as Active Directory, databases or backups, often unnoticed until major damage occurs.

Australian Context / Case Study

Australian organisations have seen multiple high-impact incidents where poor privilege management allowed attackers to move laterally. In 2022, Medibank suffered extensive network compromise after attackers gained access through a single remote desktop account. Due to excessive administrative privileges and unmonitored internal traffic, the attackers accessed servers, disabled backups, and deployed ransomware organisation-wide.

The ACSC’s Cyber Threat Report consistently notes that lateral movement is a critical phase in most major Australian data breaches, often enabled by weak segregation and insufficient application control.

How the Essential Eight Mitigates the Risk

The Essential Eight directly targets the techniques attackers use for lateral movement:

  • Restrict Administrative Privileges: Limits who can perform system changes, reducing the ability of attackers to escalate privileges or access sensitive assets.
  • Multi-Factor Authentication (MFA): Prevents attackers from reusing stolen credentials to move between systems.
  • Application Control: Blocks unauthorised tools (like PsExec or Cobalt Strike) commonly used for lateral movement.
  • Patch Operating Systems and Applications: Closes vulnerabilities exploited to gain elevated access or move laterally.
  • User Application Hardening: Disables risky features that attackers can exploit for initial or lateral access (e.g., PowerShell remoting, SMBv1).
  • Regular Backups: Ensures that if lateral movement leads to ransomware deployment, systems can be restored without paying ransoms.

When implemented at Maturity Level Two or above, these controls severely limit an attacker’s ability to expand beyond the first compromised endpoint.

Executive Takeaways

  1. Review and minimise administrative privileges – implement least-privilege access.
  2. Enforce MFA across all privileged and remote connections.
  3. Ensure application control policies block non-approved administrative tools.
  4. Patch all systems regularly and verify that remote management interfaces are secured.
  5. Segment networks to isolate critical servers and backups from standard user networks.
  6. Conduct red team or internal threat-hunting exercises to detect lateral movement techniques.

With layered defences through the Essential Eight, organisations can ensure that even if attackers sneak into one system, their sleigh ride across the network ends before they reach the crown jewels.