Like trident-wielding weatherman Ron Burgundy, threat actors are escalating quickly.
In CrowdStrike’s annual threat report, released last week, average “breakout time” in 2024—what the security company defines as “how long it takes for an adversary to move laterally across a network”—reached a speedy 48 minutes. (One threat actor, the report noted, took just 51 seconds to move from one initial compromised machine to another.)
“They’re iterating faster than the many of the enterprises that they’re targeting,” CrowdStrike’s Adam Meyers, SVP of counter adversary operations, told reporters on Feb. 24.
In 2023, according to CrowdStrike’s previous report, attackers moved from one network machine to another in 62 minutes, on average.
Lat’s not funny. Lateral movement refers to a threat actor’s progression from one host to another, with the goal of compromising increasingly sensitive credentials and accounts.
Cybersecurity company ReliaQuest released its own report regarding network machine-hopping and also found that attackers gained initial access and moved laterally within 48 minutes on average, noting one instance of data exfiltration “in as little as 4 hours.” The study cited two top tactics supporting the effort.
- Remote Desktop Protocol: Attackers have found ways to use the legitimate IT tool to “discreetly move between systems blending into regular network activity without triggering alarms that malware might,” according to ReliaQuest’s 2025 threat report.
- Internal spear phishing: This technique, largely on the rise due to availability of phishing kits, compromises a user account and sends phishing emails throughout an org, potentially compromising multiple accounts at once.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
ReliaQuest, in a separate Feb. 20 blog post, revealed details of a manufacturing sector attack that involved email-spam attacks, help-desk impersonation and social engineering that led to download of the remote-access Quick Assist tool, and then a “C2,” or command-and-control, connection between the target and the attacker—a chain of events that took, you guessed it, 48 minutes.
RTO-no. As employers like Amazon, AT&T, and JP Morgan have announced that it’s time for their employees to head back into the office, and as executive orders have made similar mandates, lateral movers and shakers may appreciate everyone being in one place.
Daniel Spicer, VP and CSO at IT software company Ivanti, sees return-to-office mandates allowing threats actors to return-to-playbook for a classic maneuver: compromising one user in a network then moving to other users like a finance-team member or IT pro, for better and better credentials.
Remote work presents challenges for faraway IT teams, but lateral movement isn’t necessarily one of them, according to Spicer, when at-home employees have their own separate network.
“You’re kind of insulated from that attack vector. It’s a lot harder to jump from an individual contributor workstation to another individual contributor workstation,” Spicer said.