Lateral Movement

I. Formal Definition

The set of techniques by which an adversary, having achieved an initial foothold, traverses across systems, accounts, networks, or trust boundaries to reach a higher-value target. Lateral movement is the principal multiplier of incident severity: containment that interrupts movement reduces a near-incident to an audit finding, while failure to interrupt movement converts a contained event into a federation-disclosable breach. The federation requires that detection and containment of lateral movement be specifically rehearsed in tabletop exercises at least annually.

II. Etymology

Originated in military doctrine; formalised in cybersecurity through the MITRE ATT&CK framework in the mid 2010s.

III. Federation Usage

Federation members must publish lateral-movement detection coverage across identity, network, and process planes. Coverage gaps in any plane are reported as findings under TGS-002:1.7 and may block accreditation.

IV. Related Terms

• blast-radius
• mitre-attack
• zero-trust
• threat-model

V. Authoritative Citations

• UFMS-001:2.4UFMS Article II - Movement Detection
• TGS-002:1.7TGS Title II - Detection Conduct

VI. Citation in BibTeX

@misc{ifo4_glossary_lateral_movement,
  title        = {{Lateral Movement}},
  author       = {{IFO4 Federation Editorial Board}},
  howpublished = {{IFO4 Federation Glossary, slug \texttt{lateral-movement}}},
  year         = {2026},
  url          = {https://ifo4.org/glossary/lateral-movement},
  note         = {Category: SecOps; key: LateralMovement}
}

VII. Challenge This Definition

Federation members and accredited practitioners may challenge any entry under TGS-002:1.7. Filed challenges are routed to the editorial board, triaged into the revision register, and resolved in writing on the public docket. The slug remains stable through any revision.