How Attackers Really Move – And 5 Steps to Make Their Job Much Harder

When non-cyber people imagine a cyberattack, they often picture a dramatic breach through a flashy zero-day exploit or high-profile vulnerability. The truth is, as we know, far less cinematic. Most attackers don’t need sexy tools or exotic CVEs. They just need an open door – and there are plenty of those to choose from.

It’s once attackers are inside that their real ‘work’ begins. Movement inside the network is quiet and methodical. It’s also often slow – and in the best case scenario (for the attacker, anyway) it goes undetected by EDR and SIEM solutions, or often gets drowned out in a sea of low-risk alerts…until it’s too late.

This blog breaks down how attackers actually move once they have a foothold. It walks through the TTPs (Tactics, Techniques, and Procedures) they use to escalate privileges from a low-level account to domain admin or other critical systems, and the defensive countermeasures organizations can use to detect and contain adversaries before significant data exfiltration or ransomware deployment occurs.

Entry Points – The Start of the Climb

Attackers don’t always break in. Sometimes, they just authenticate in – with harvested credentials, or through an unpatched system or misconfigured application. Phishing with malicious Office macros or weaponized PDF attachments is still high on the attackers’ favorites list. So is credential stuffing – like when someone reuses the same password across multiple systems and it later shows up in a breach database. And every so often, attackers find a vulnerability that’s been sitting unpatched for months and even years.

Zero-days get the headlines, but they’re rarer in the wild. The reason? They’re expensive and need a lot of investment from the attacker. That’s why they’re usually used to target high-profile targets like nation-states. Most attackers go for what’s easy, repeatable, and generates minimal IOCs (Indicators of Compromise). They exploit human behavior patterns and misconfigurations, not just application code.

Whatever the entry point, attackers usually land on a low-privileged user account. That’s where most breaches begin – quiet access to an endpoint that no one’s watching too closely. 

Once they’re in, attackers slow down and begin internal reconnaissance. They enumerate cached credentials in LSASS memory. inspect running processes and services. They map network shares and Active Directory trust relationships. Every artifact helps them build their attack path forward. Every environment is different, but the approach is more or less the same: establish persistence, minimize command-and-control traffic, and identify the next privilege escalation opportunity.

Pivot and Lateral Movement – Climbing the Ladder

When an attacker has a feel for the environment, he or she will start looking for their next move. The goal isn’t speed. It’s stealth. They want to shift from that initial low-privileged endpoint to something with more value – and more extensive access rights.

That usually starts with credential harvesting. Tools like Mimikatz enable attackers to extract NTLM hashes, Kerberos TGTs (Ticket Granting Tickets), and service account credentials directly from memory by targeting the LSASS process with techniques like sekurlsa::logonpasswords. With those authentication artifacts in hand, they don’t need the plaintext password – they simply perform NTLM relay attacks or utilize Pass-the-Hash techniques to authenticate, leveraging the NTLM authentication protocol’s design limitations. Another common technique is Kerberoasting – an attacker uses legitimate domain user privileges to request service tickets (TGS) for SPN (Service Principal Name) accounts and extracts them for offline cracking with hashcat to recover clear-text credentials.

Sometimes attackers don’t even need specialized tools. They can just wait. For example, if a domain administrator authenticates to the compromised machine, they can quietly grab credentials in the background. In some cases, deliberately trigger a low-severity incident – just enough to generate a help desk ticket that prompts someone with elevated access to connect to the compromised system.

Attackers rarely introduce custom malware payloads. Instead, they rely on living-off-the-land binaries (LOLBins). They use built-in administrative utilities like PowerShell, WMI, or PsExec – all native Windows tools with legitimate use cases – to blend in with normal sysadmin activity. Sometimes, they inject malicious DLLs into legitimate processes via reflective DLL injection techniques, or deploy fileless malware that operates entirely in memory, leaving minimal forensic artifacts. Other times, they might embed a malicious macro in a shared document that gets distributed internally. The traffic appears routine in network logs.  And that’s exactly the point.

This approach, often called “Living off the Land,” is widespread. Research found that some 84% of high-severity attacks involve the abuse of legitimate system binaries, with PowerShell used in nearly three-quarters of malicious scripts. Attackers don’t need to deploy custom C2 frameworks – they just abuse what your environment already whitelists and trusts.

Breaking the Chain – 5 Steps to Map and Disrupt Movement

Attackers don’t rush the crown jewels. They take their time. They move laterally through the network, quietly looking for the weak spots no one’s watching: excessive NTFS permissions, over-privileged service accounts with constrained delegation enabled, and unmonitored LDAP queries between systems. Stopping that kind of movement means implementing a defense-in-depth strategy that identifies where those attack paths exist – and implementing security controls to break them before they’re exploited.

Here are 5 steps to making an attacker’s job much harder 

1. Use attack path modeling to help you see how an attacker could move through your environment and chain together seemingly unrelated misconfigurations to reach critical assets. It highlights real, not theoretical, risks like excessive privileges, unpatched vulnerabilities, and credential exposures that connect one system to another through complex trust relationships that static security scans might miss.
2. Once you map these risky routes, the next step is to shut them down. Start by removing standing privileges. Use a PAM (Privileged Access Management) solution with Just-in-Time access that provides ephemeral, time-bound privileges only when explicitly requested and approved. 
3. Implement network segmentation based on Zero Trust principles instead of relying solely on traditional perimeter-based controls. 
4. Audit your service accounts meticulously; many have excessive privileges due to membership in high-privilege AD groups, and their credentials often remain unchanged for extended periods, violating key rotation policies.
5. Focus on detection engineering. Every environment has choke points – the systems attackers can’t avoid if they want to move deeper. One way of handling choke points is to deploy deception technology: honeytokens, canary tokens, or decoy credentials that have no legitimate business purpose. If these are accessed, it immediately triggers a high-fidelity alert with minimal false positives.

These techniques work. Research has found that 44% of ransomware attacks are discovered while the attacker is still moving laterally. That’s your chance to contain  the threat – before the real damage begins. You can’t block every breach. But you can  implement controls that break the attack chain that transforms initial access into business impact. That’s where effective security programs demonstrate their value.

Planning for Impact – Recovery Starts Before the Attack

Even with strong defenses and controls in place, some attacks will succeed. That’s why recovery planning must begin long before an alert sounds.

Immutable backups remain the foundation. Store at least three copies of critical data on different storage technologies and include one off-site copy, following the industry-standard 3-2-1 backup rule. Make sure at least one copy implements WORM (Write Once Read Many) storage or S3 Object Lock functionality as advised by CISA and the FBI following the Colonial Pipeline incident. And don’t just store backups –  implement regular restoration testing with defined RTO/RPO (Recovery Time Objective/Recovery Point Objective) metrics so they’re validated when needed.

A solid incident response playbook turns strategy into action. Define roles and responsibilities ahead of time; i.e., who coordinates containment activities, who briefs executive leadership, who manages external communication with customers and regulators. Effective continuity plans lay out timelines, responsibilities, and recovery objectives for every core function.

Recovery itself isn’t just a technical process; It’s operational muscle memory. Real operational resilience comes from regular incident simulation, cross-functional coordination between IT, security, legal, and communications teams, and a crisis communication framework that all stakeholders understand.

Planning ahead doesn’t prevent every breach. But it does give you the best shot at bouncing back before real damage sets in.

Conclusion – What Happens Next Is What Matters

Most breaches don’t start with something dramatic. It’s a lot more simple, something like a missed patch. A reused password. An excessive permission in Active Directory that creates an unintended attack path. The real impact comes later. Threat actors operate methodically, moving laterally across the network with minimal noise, escalating privileges incrementally as they go.

You can’t stop every breach at the network perimeter. But you can make it harder for attackers to move once they’re inside. That means understanding the attack paths they leverage – and breaking them through proper security architecture. Cybersecurity isn’t just about prevention. It’s about implementing detection and response capabilities that contain threats before they achieve their objectives.