Attackers against large enterprises typically begin at network edges, such as end-user devices, and move towards data centers, such as web servers or database servers, that are connected to the end user devices by network connections. This kind of network breach is referred to as breach by lateral movements. An attacker may move from a point of incursion to other computers where sensitive data or services are exposed.
For example, a lateral movement by an attacker is possible after the attacker identifies existing network mounts or applications on an end-user device. The attacker may notice that the user connects to a web application that accesses data that the attacker is interested in. The attacker may then move laterally to a web server and compromise the web server. The web server has access to a backend database, which the attacker may identify based on connection information and/or web server configuration. Based on the connection information and/or web server configuration, the attacker may then connect or exploit the backend database server and accesses sensitive data.
In view of the foregoing, it may be understood that there may be significant data security risks associated with attackers' lateral movements.