civil-and-structural-engineering
How to Use Firewalls to Detect Lateral Movement in Network Attacks
Table of Contents
Understanding Lateral Movement in Modern Cyber Attacks
Lateral movement is one of the most critical phases in a cyber attack lifecycle. It refers to the techniques attackers use to progressively move through a network after gaining an initial foothold, searching for high-value assets such as databases, domain controllers, or sensitive file servers. Unlike a direct assault that triggers immediate alarms, lateral movement is stealthy — attackers pivot from one compromised system to another using legitimate credentials, native tools, and standard protocols. This makes it notoriously difficult to detect with traditional security controls. According to the MITRE ATT&CK framework, lateral movement encompasses over a dozen distinct techniques, each with its own indicators. Understanding these techniques and how to counter them is essential for any security team. Firewalls, when properly configured, can serve as a powerful early-warning system for lateral movement — provided you know what to look for and how to interpret the signals. This expanded guide provides a deep, actionable look at how to use firewalls to detect lateral movement effectively.
The Attack Lifecycle: Where Lateral Movement Occurs
To appreciate the role of firewalls, it helps to understand where lateral movement fits into the broader attack sequence. The lifecycle typically unfolds in stages:
- Initial Access: The attacker breaks in through a phishing email, exploited vulnerability, or weak remote service.
- Persistence and Privilege Escalation: Once inside, they install backdoors, steal credentials, and elevate privileges to move freely.
- Lateral Movement: Using stolen credentials or pass-the-hash techniques, the attacker moves from the initial compromised host to other systems on the same network.
- Data Exfiltration or Impact: After reaching the target (e.g., a database with sensitive records), the attacker extracts data or deploys ransomware.
Lateral movement is the bridge between initial breach and final objective. If you can detect and stop movement at this stage, you can prevent the most damaging outcomes. Firewalls monitoring internal (east-west) traffic can see the telltale signs of a compromised host reaching out to other internal systems in ways that deviate from normal behavior.
Common Lateral Movement Techniques Attackers Use
Attackers have a playbook of techniques for moving laterally. Each leaves behind network-level traces that firewalls can be tuned to catch. Below are the most prevalent methods:
Pass-the-Hash and Pass-the-Ticket
Attackers extract password hashes or Kerberos tickets from memory on a compromised machine and reuse them to authenticate to other systems. This technique abuses the Single Sign-On (SSO) protocols native to Windows environments. The network traffic looks like legitimate authentication traffic, but the source is a system that typically does not initiate such requests. A firewall can flag multiple authentication attempts from one host to many different servers within a short time window.
Remote Service Exploitation (PsExec, WMI, SSH, RDP)
Using tools like PsExec, Windows Management Instrumentation (WMI), or Secure Shell (SSH), attackers remotely execute commands on target machines. These tools generate specific traffic patterns — for example, PsExec uses SMB (port 445) and creates named pipe connections. Firewalls that inspect application-layer data can detect the signature of these tools even if the traffic uses allowed ports.
RDP Hijacking and Remote Desktop
Remote Desktop Protocol (RDP) is a favorite for lateral movement because it provides an interactive desktop session. Attackers use stolen credentials to connect via RDP from one internal machine to another. Unusual RDP connections — from a workstation to a server, or between machines that have no business relationship — are a red flag. Firewalls can log and alert on RDP session origins, especially when the source is a system not in the IT administration pool.
Internal Phishing and Credential Relaying
Some attackers use internal compromised hosts to send phishing messages to other employees, harvesting more credentials. While this is harder to detect at the firewall level, anomalous SMTP traffic from non-mail servers can be a clue.
Scheduled Tasks and Remote Job Execution
Attackers create scheduled tasks on remote systems to execute malicious payloads. This typically involves RPC or SMB traffic that can be detected by firewalls configured to monitor for unusual administrative activity.
How Firewalls Detect Lateral Movement: Core Mechanisms
Modern firewalls — especially Next-Generation Firewalls (NGFW) — are not limited to blocking traffic at the perimeter. They have evolved to inspect traffic within the network as well. Here are the primary detection mechanisms:
East-West Traffic Visibility
Traditional firewalls only guard the network perimeter (north-south traffic). To detect lateral movement, you need firewalls that can inspect traffic between internal segments (east-west). This is typically achieved by deploying internal firewall zones or using a segmented network architecture as recommended by NIST. By routing internal traffic through a firewall, you gain visibility into which internal IPs are talking to each other, on which ports, and at what volumes. Any deviation from the baseline can be flagged for investigation.
Stateful Inspection and Session Tracking
Firewalls keep track of active connections. If a host that typically only browses the web and checks email suddenly opens outbound SMB connections to multiple servers, the firewall can flag this as anomalous. Session tracking also reveals unusual patterns such as a single host establishing many simultaneous connections to different internal targets — a classic sign of an attacker scanning for valuable systems.
Application Layer Inspection
NGFWs can identify applications irrespective of the port they use. For example, an attacker might tunnel RDP over HTTPS to bypass a firewall rule blocking port 3389. An application-aware firewall can detect the RDP protocol inside the encrypted tunnel or recognize the signature of tools like PsExec or WinRM. This capability is essential for detecting lateral movement that hides on non-standard ports.
Behavioral and Anomaly-Based Detection
Some advanced firewalls incorporate machine learning to establish a baseline of normal traffic patterns. Once the baseline is learned, the firewall can detect unusual spikes in authentication requests, data transfers, or connection attempts. For instance, if a finance department workstation starts communicating with the domain controller dozens of times per minute, the firewall can generate an alert — even if the traffic would otherwise pass standard signature checks.
Configuring Firewalls for Lateral Movement Detection
Having the right firewall features is only half the battle. You must configure them intelligently to catch lateral movement without drowning your team in false positives. Below are specific configuration strategies:
Segment Your Network and Enforce Strict Rules
Network segmentation is the foundation. Divide your network into zones: users, servers, DMZ, management, and guest. Place firewalls between segments and enforce rules that only allow necessary traffic. For example, servers should not initiate outbound connections to workstations in most cases. If a server starts connecting to many workstations, that is a strong indicator of lateral movement. Use least-privilege rules: allow only the specific ports and protocols required for business operations, and block everything else.
Monitor Authentication Traffic
Configure firewall logging to capture authentication-related traffic such as Kerberos (UDP 88), LDAP (389), SMB (445), and RDP (3389). Create alerts for:
- Multiple failed authentication attempts followed by a successful one (a brute-force or password spray pattern)
- An IP address that authenticates to many different systems within a short period
- Authentications from a host that typically does not perform such actions (e.g., a receptionist's computer connecting to a SQL Server)
Alert on Internal Port Scanning
Attackers often scan internal systems to find open ports and services. While port scanning is not always malicious, it is a common precursor to lateral movement. Configure your firewall to detect and alert on scans: a single source IP that attempts connections to multiple destination IPs on the same port within a short interval is a scanning signature. Many firewalls have built-in port scan detection modules that can be enabled.
Detect Protocol Tunneling and Encapsulation
Attackers frequently tunnel malicious traffic inside allowed protocols like HTTP, HTTPS, or DNS. An NGFW with deep packet inspection (DPI) can look inside HTTPS traffic (if you terminate SSL inspection at the firewall) to detect protocol abuse. For DNS, unusual query patterns or large DNS responses can indicate DNS tunneling, which is sometimes used for command and control as well as lateral movement.
Use User and Entity Behavior Analytics (UEBA) Integrations
Many security teams integrate firewall logs with UEBA platforms that profile normal behavior for users and devices. When a user never logs into a server suddenly connects to multiple servers via RDP, the UEBA system can trigger an alert. Firewalls that export detailed logs in standard formats (like syslog or NetFlow) make this integration seamless.
Advanced Detection: Beyond the Firewall Alone
While firewalls are indispensable, they are most effective when integrated into a broader detection ecosystem. Consider these complementary strategies:
SIEM Integration and Correlation
Send your firewall logs to a Security Information and Event Management (SIEM) solution like Splunk, Elastic, or Azure Sentinel. The SIEM can correlate firewall data with logs from endpoint detection and response (EDR) tools, Active Directory authentication logs, and vulnerability scanners. For example, a SIEM can correlate a firewall alert about an unusual SMB connection with an EDR alert showing that the source host has a suspicious process running, creating a high-fidelity incident.
Threat Intelligence Feeds
Subscribe to threat intelligence feeds that include known malicious IP addresses, domains, and hashes. Some firewalls can consume these feeds automatically and block or flag traffic from malicious sources. If a compromised internal host tries to communicate with an external command-and-control server, the firewall can block it and alert the security team immediately.
Honeypots and Deception Technology
Deploy honeypots — decoy systems that mimic real servers — within your network. Attackers performing lateral movement are likely to discover and interact with these decoys. When they do, the honeypot logs the interaction, and the firewall can provide an additional alert, especially if the attacking IP tries to connect to multiple decoys. This combination is a highly effective way to catch lateral movement early.
Real-World Examples of Lateral Movement Detection via Firewalls
To bring these concepts to life, consider a few scenarios:
- Scenario A — SMB Scanning: A workstation infected with malware begins scanning the internal network on port 445 for vulnerable systems. The firewall detects 200 outbound connection attempts from that IP in 30 seconds and triggers a port scan alert. The security team isolates the host before the attacker can move to another machine.
- Scenario B — RDP Jump: An attacker steals credentials from a help desk employee and uses RDP to connect to a file server. The firewall logs the RDP session from a workstation that never previously connected to that server. The SIEM correlates this with an off-hours login and escalates the alert as a potential lateral movement incident.
- Scenario C — PsExec Abuse: An attacker uses PsExec to execute commands on a domain controller. The firewall sees the SMB named pipe traffic associated with PsExec and flags it, even though the traffic is on a standard port. The security team receives the alert within seconds and can check the endpoint logs for the malicious process.
Challenges and Limitations of Firewall-Based Detection
No detection method is perfect. Firewalls face specific challenges when detecting lateral movement:
Encrypted Traffic
Modern malware and attackers increasingly use encryption to evade detection. If a firewall cannot inspect the contents of encrypted traffic, it must rely on metadata — source IP, destination IP, port, and timing. This reduces detection fidelity. SSL/TLS inspection is a solution, but it requires careful implementation to avoid breaking legitimate traffic and must comply with privacy regulations.
Living-Off-the-Land (LoTL) Attacks
Attackers often use native tools like PowerShell, WMI, or scheduled tasks that generate traffic indistinguishable from normal administrative activity. Firewalls may not distinguish between a legitimate IT admin running a remote command and an attacker doing the same. This is where behavioral baselines and UEBA tools become critical, as they can detect deviations from normal patterns even if the tools are the same.
False Positives
Aggressive detection rules can generate a high volume of false positives, leading to alert fatigue. For example, legitimate IT management traffic — such as backup software, patch management tools, or monitoring agents — can look like lateral movement. It is essential to whitelist known good traffic sources and review alerts carefully before tuning rules.
Single-Point Evasion
A skilled attacker who knows your firewall rules can try to evade detection by using ports and protocols that are allowed, or by spreading their activities across a longer time window. This underscores the need for a layered defense that combines firewalls with endpoint detection, authentication monitoring, and behavior analytics.
Best Practices for Using Firewalls to Detect Lateral Movement
Drawing on the above, here is a consolidated set of best practices:
- Segment your network: Place firewalls between segments and enforce strict east-west traffic rules. Microsegmentation using virtual firewalls can further isolate critical systems.
- Enable application-layer inspection: Use NGFW features to identify applications and protocols regardless of port number.
- Monitor authentication traffic: Log and alert on Kerberos, LDAP, SMB, RDP, and other administrative protocols. Look for patterns like multiple failed logins, cross-segment authentication, and off-hours activity.
- Detect scanning behavior: Enable port scan detection and set thresholds that trigger alerts without overwhelming the team.
- Integrate with SIEM and UEBA: Correlate firewall data with other sources to improve detection fidelity and reduce false positives.
- Use threat intelligence: Feed known malicious indicators into your firewall to block or flag traffic from compromised sources.
- Conduct regular traffic baseline reviews: Analyze your firewall logs monthly to identify changes in normal traffic patterns that could indicate an undetected presence.
- Deploy honeypots strategically: Place decoy systems in segments where lateral movement is most likely to occur.
- Test your detection: Simulate lateral movement scenarios (with permission) to verify that your firewall rules and alerts produce the expected results. The SANS Institute offers guidance on developing detection exercises.
- Train your team: Ensure analysts understand the indicators of lateral movement and how to differentiate them from legitimate administrative activity.
Conclusion: Firewalls as a Cornerstone of Lateral Movement Detection
Lateral movement remains one of the most challenging attack stages to detect, precisely because attackers use the same tools and protocols that organizations rely on for daily operations. Firewalls, when thoughtfully configured and integrated into a layered security architecture, can provide a powerful line of defense. By monitoring east-west traffic, inspecting application-layer data, and correlating with other security tools, firewalls can catch the subtle signals of an attacker trying to move through your network. The key is to move beyond a perimeter-only mindset and treat firewalls as internal sensors that complement endpoint detection, authentication monitoring, and user behavior analytics. With the right configuration and continuous tuning, your firewall becomes not just a gatekeeper but a vigilant observer that alerts you to the earliest signs of compromise. In a landscape where breaches are inevitable, detecting lateral movement quickly can mean the difference between a contained incident and a full-scale data breach. Use the strategies in this article to harden your defenses and keep attackers from reaching their destination.