As you mount your defense against the bad guys, it's important to make the distinction between the two major types of attack: the initial compromise and movement.
The initial compromise is simply the break-in. Movement, however, can be in two different "directions": horizontal or vertical. Moving horizontally means the attacker is shifting between similar roles of computers (client to client, server to server); vertical movement means the attack is manuevering between different roles (client to server to domain controller).
[ 6 hard-earned lessons learned about advanced persistent threats | It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
After the initial compromise, the attacker doesn't necessarily need to move. But movement is fairly common among today's sophisticated attackers. Even malware is on the move, often infiltrating other drive shares and computers and attempting to guess additional passwords.
It's important to recognize the distinction between these attacks and plan accordingly. It's far more vital to try and prevent the initial compromise, of course, but you obviously also want to slow down or prevent movement.
Traditionally, computer attacks are described by the method used, such as password attack, eavesdropping, session compromise, and so on. But you need to examine these threats in light of how they're most likely to be used.
For example, with password attacks, outright password guessing is most useful for initial compromises. Alternately, using and abusing password hashes is far more likely to be successful for additional movement after the original compromise. Social engineering is mostly an initial compromise technique, whereas keylogging is for moving around. Some hacking techniques can be used in both types of attacks; session hijacking, for example, can be used for the initial compromise, but often demands already acquired insider access to accomplish.