Lateral Movement
How attackers spread through a network after gaining initial access, moving from device to device toward higher-value targets. Network segmentation and behavioral monitoring limit lateral movement.
What is Lateral Movement?
How attackers spread through a network after gaining initial access, moving from device to device toward higher-value targets. Network segmentation and behavioral monitoring limit lateral movement.
Lateral movement refers to the techniques attackers use to progressively move through a network after gaining initial access — pivoting from one compromised device to another, escalating privileges, and ultimately reaching high-value targets like domain controllers, financial systems, or OT networks. It is the phase of most attacks that determines the final scope of damage.
In flat or under-segmented networks, lateral movement is trivially easy. Once inside the perimeter, an attacker can reach most devices without encountering any additional controls. This is particularly dangerous in environments that include OT or IoMT devices: an attacker who gains access through a corporate email phishing attack can potentially reach an industrial control network or medical device network without any additional barriers.
The attack path that led to major industrial incidents — including Industroyer, TritonTRITON, and Colonial Pipeline — all involved significant lateral movement from IT networks into OT environments. In healthcare, ransomware operators routinely pivot from compromised workstations through medical devices to reach the EMR systems that maximize their leverage. Detecting and containing lateral movement requires both segmentation (to create barriers) and behavioral monitoring (to detect when those barriers are being probed or crossed).
Key Facts
- The median attacker dwell time before detection is 207 days — most of that time spent on lateral movement
- 75% of major OT breaches involved lateral movement from IT networks across inadequate segmentation boundaries
- Flat networks allow attackers to reach 90%+ of assets within 3 hops from any entry point
- Behavioral detection catches lateral movement that signature-based tools miss, since the techniques often use legitimate protocols
How ORDR Addresses Lateral Movement
ORDR detects lateral movement by monitoring device-to-device communication against established behavioral baselines. When a device initiates connections that fall outside its learned communication profile — especially connections to devices in different network zones — ORDR generates an alert and can trigger automated segmentation responses to isolate the device before the movement progresses.
See ORDR in actionFrequently Asked Questions
Complete visibility across your entire attack surface.
ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.