See the Unseen: Detect Lateral Movement Within Encrypted Traffic

While essential, EDR and firewalls are often overestimated; considered to be a total security fallback for organizations of all sizes.

According a to new paper from IDC*, these legacy tools are effectively blind to the highly evasive, multi-stage campaigns that define today’s threat landscape.

Driving this trend is the weaponization of compromised credentials. When an adversary logs in as a 'trusted' user, they become invisible to traditional defenses. Because the initial handshake appears valid, security tools stop looking, allowing the attacker to operate in the shadows of a verified session.

An Inside Job

Once inside, an adversary uses that trusted identity to move laterally, observing the network, escalating privileges, and speeding towards high-value data.

IDC notes that lateral movement is the most difficult phase of an attack to detect because it’s cloaked in protocols that facilitate legitimate activity.

This stealth allows threat actors to maximize dwell time, staying hidden for weeks, months, or years, while they prepare to exfiltrate data and launch ransomware.

The Mask of Encryption

A primary cloaking technique is the abuse of encryption to mask an attacker’s efforts.

According to the IDC Spotlight, “The truth is that business networks continue to scale horizontally. By default, internet browsers will only allow encrypted traffic. The dilemma is providing visibility of packets without introducing latencies or violating zero trust principles.”  

This creates a pervasive blind spot, making it impossible to differentiate between a legitimate user and malicious protocol abuse. To close this gap, organizations need a way to see inside packets without forcing a tradeoff between security and network performance. 

Reclaiming Ground Truth

Detecting lateral movement requires a shift from limited metadata analysis to an approach that captures, analyzes, and stores every bit and byte of network traffic. Solving the visibility gap requires the ability to decrypt and decode protocols at scale to expose active breaches that traditional tools miss.

By merging network intelligence with identity analytics, security teams move beyond surface-level observations to identify the subtle behavioral shifts and anomalous usage that signal an attack. This high-fidelity approach ensures that threats are seen the moment they emerge, allowing leaders to secure the environment before damage is inflicted.

*IDC Spotlight, sponsored by ExtraHop, Lateral Movement No Longer Has to Remain Invisible, doc #US54020325, December 2025

Expose the Invisible

To learn about how to stop attackers from exploiting encrypted traffic and identities, register now for our upcoming webinar with IDC’s Security & Trust Research Vice President, Chris Kissel. To comprehensively secure your organization’s network against hidden threats, access the IDC Spotlight here.