Much of the focus in cybersecurity is placed on preventing initial access.
But what happens after an attacker gains entry is often more impactful.
Once inside a network, attackers typically follow a sequence:
Each step builds on the previous one.
Unlike initial access, which may involve external indicators, internal movement often uses legitimate tools and credentials.
Examples include:
Because these tools are part of normal operations, distinguishing malicious activity becomes more complex.
Traditional detection methods rely on identifying known threats.
However, internal movement often does not involve known malware.
Instead, detection depends on recognizing unusual behavior patterns.
This may include:
Individual events may appear harmless.
But when viewed together, they can reveal a pattern.
For example:
Correlation across systems is essential for identifying these patterns.
Understanding what is “normal” for an environment is critical.
Without this context, it becomes difficult to identify anomalies.
Effective detection requires:
The earlier movement is detected, the easier it is to contain.
Delays allow attackers to expand their access and increase impact.
This reinforces the importance of: