Lateral Movement Attacks: How Indian Enterprises Can Detect and Contain Intruders Before They Reach Your Crown Jewel Assets

  • Home
  • Lateral Movement Attacks: How Indian Enterprises Can Detect and Contain Intruders Before They Reach Your Crown Jewel Assets
Lateral Movement Attacks: How Indian Enterprises Can Detect and Contain Intruders Before They Reach Your Crown Jewel Assets
Lateral Movement Attacks: How Indian Enterprises Can Detect and Contain Intruders Before They Reach Your Crown Jewel Assets
Lateral Movement Attacks: How Indian Enterprises Can Detect and Contain Intruders Before They Reach Your Crown Jewel Assets
Lateral Movement Attacks: How Indian Enterprises Can Detect and Contain Intruders Before They Reach Your Crown Jewel Assets
Lateral Movement Attacks: How Indian Enterprises Can Detect and Contain Intruders Before They Reach Your Crown Jewel Assets

Most Indian enterprise security teams spend the majority of their budget and attention on perimeter defences — firewalls, antivirus, email gateways. Yet a growing body of incident-response data tells a different story: the most damaging breaches in 2025 and 2026 are not happening at the perimeter. They are happening inside the network, often weeks or months after the initial compromise, as attackers quietly move from one system to the next in search of high-value targets.

This technique — called lateral movement — is now the defining characteristic of advanced persistent threats (APTs), ransomware groups, and nation-state actors targeting Indian enterprises. Understanding it, and building controls to detect and contain it, is one of the highest-leverage investments a CISO can make today.

What Is Lateral Movement — and Why Does It Matter for Indian Enterprises?

Lateral movement refers to the techniques attackers use to progressively move through a network after establishing an initial foothold. The attacker typically gains access through a phishing email, a vulnerable internet-facing service, or a compromised third-party credential. But that initial beachhead is rarely their target. Instead, they pivot — hopping from workstation to server to database — until they reach the systems that matter most: financial records, customer PII, intellectual property, or domain controllers that give them control of the entire Active Directory environment.

For Indian enterprises, the stakes are particularly high for several reasons:

  • DPDP Act liability: The Digital Personal Data Protection Act 2023 imposes significant penalties for data breaches. A successful lateral movement campaign that reaches a customer database can trigger both CERT-In’s 6-hour reporting obligation and DPDP enforcement action.
  • Flat network architectures: Many Indian enterprise networks — especially those that grew rapidly or were built on legacy infrastructure — lack meaningful internal segmentation. An attacker who compromises one workstation often has unrestricted access to dozens of servers on the same flat network.
  • Over-privileged accounts: Administrative accounts with excessive permissions, service accounts with weak passwords, and shared credentials are endemic across Indian enterprise IT environments. Attackers exploit these to move laterally at speed.
  • Limited internal visibility: Most enterprise security teams focus logging and alerting on perimeter devices. Internal east-west traffic — traffic between systems inside the network — is rarely monitored, giving attackers a largely unobserved path to sensitive assets.

How Attackers Actually Move Laterally: The Techniques Your Team Must Know

Understanding attacker tradecraft is the first step toward building effective defences. The following techniques are consistently observed in incidents affecting Indian enterprises:

1. Pass-the-Hash and Pass-the-Ticket

When an attacker compromises a Windows workstation, tools like Mimikatz can extract password hashes or Kerberos tickets directly from memory. These credentials can then be used to authenticate to other systems without ever knowing the plaintext password. In environments where local administrator passwords are identical across machines — a dangerously common configuration — a single compromised endpoint can give attackers access to hundreds of systems within minutes.

2. Remote Service Exploitation

Attackers frequently abuse legitimate remote administration protocols — RDP (Remote Desktop Protocol), SMB (Server Message Block), WMI (Windows Management Instrumentation), and SSH — to execute commands on remote systems. Because these are legitimate services, traditional signature-based detection often misses the abuse entirely. What looks like a domain administrator running a script is actually an attacker who has hijacked that administrator’s session token.

3. Living-off-the-Land (LotL) Techniques

Modern attackers increasingly avoid dropping malware files that antivirus can detect. Instead, they use tools already present on Windows systems — PowerShell, WMI, certutil, mshta, PsExec — to conduct their operations. This “living off the land” approach makes detection significantly harder, because the tools themselves are legitimate; only their behaviour, in context, reveals the attack.

4. Kerberoasting and AS-REP Roasting

In Active Directory environments, attackers can request Kerberos service tickets for accounts with Service Principal Names (SPNs), then crack those tickets offline to recover plaintext passwords. Accounts used for SQL Server, IIS, or other services are frequently configured with weak passwords and excessive privileges, making them ideal stepping stones for lateral movement.

5. Abuse of Legitimate Administrative Tools

Enterprise tools like SCCM (System Center Configuration Manager), Ansible, and remote monitoring and management (RMM) platforms are routinely abused by attackers who gain administrative access. These tools are designed to push software and commands to hundreds of systems simultaneously — exactly what an attacker needs to deploy ransomware at scale.

The Lateral Movement Kill Chain: A Timeline Indian CISOs Must Understand

Lateral movement typically unfolds over days, weeks, or months — not minutes. Understanding the timeline helps prioritise controls:

  • Day 0–1: Initial access via phishing, VPN credential theft, or exploitation of an internet-facing vulnerability. Attacker establishes persistence (scheduled task, registry run key, or WMI subscription).
  • Days 1–7: Reconnaissance. Attacker maps the internal network using ping sweeps, port scans, and Active Directory enumeration tools (BloodHound/SharpHound). Identifies high-value targets and paths of least resistance.
  • Days 7–30: Credential harvesting and privilege escalation. Attacker extracts hashes, cracks passwords, and escalates to domain administrator or service accounts with broad access.
  • Days 30–90: Lateral movement to target systems. Attacker accesses financial servers, databases, backup systems, and domain controllers — often exfiltrating data quietly before triggering ransomware or the final objective.
  • Day 90+: Impact. Data exfiltration for double-extortion, ransomware deployment, or intellectual property theft. By this point, containment is significantly harder and more expensive.

“The average dwell time — the period between initial compromise and detection — in Asia-Pacific environments has historically been measured in weeks. Every day an attacker remains undetected inside your network increases the blast radius of the eventual incident.”

Building Defences Against Lateral Movement: A Practical Framework

Defending against lateral movement requires a layered approach that assumes compromise will occur and focuses on limiting the attacker’s ability to move once inside. The following controls, implemented in priority order, form an effective defensive architecture for Indian enterprises:

Priority 1: Network Segmentation with NGFW-Enforced Policies

The single most impactful control against lateral movement is internal network segmentation. By dividing the network into clearly defined zones — user endpoints, servers, OT/IoT systems, backup infrastructure, payment systems — and enforcing strict east-west traffic policies between zones, you dramatically limit an attacker’s ability to pivot.

A FortiGate next-generation firewall deployed as an internal segmentation firewall (ISFW) can enforce granular policies between network segments, inspect east-west traffic with deep packet inspection (DPI), and apply application-layer controls to internal traffic — not just perimeter traffic. This means even if an attacker compromises a user workstation, they cannot freely access a financial database on a different segment without traversing a policy-enforced checkpoint.

Recommended segmentation model for Indian enterprises:

  • User VLAN (endpoints, BYOD with NAC controls)
  • Server VLAN (web, application, file servers)
  • Database VLAN (SQL, Oracle, MongoDB — no direct user access)
  • Management VLAN (domain controllers, backup servers, network management — most restricted)
  • OT/IoT VLAN (if applicable — air-gapped or unidirectional gateway enforced)
  • DMZ (internet-facing services, isolated from internal)

Priority 2: Zero Trust Network Access for Internal Resources

Traditional VPN models grant network-level access — once connected, a user (or attacker) can reach any system on that network segment. Zero Trust Network Access (ZTNA) replaces this with application-level, identity-verified, device-posture-checked access to specific resources.

For Indian enterprises, deploying ZTNA principles for internal access — not just remote access — means that even a compromised endpoint on the network cannot automatically connect to sensitive internal applications. Every access attempt is verified against identity, device health, and contextual signals before being permitted. This dramatically constrains lateral movement even when attackers hold valid credentials.

Priority 3: Privileged Access Management and Credential Hygiene

Lateral movement depends on credentials. Eliminating the conditions that make credential theft useful is therefore a high-priority defensive action:

  • Local Administrator Password Solution (LAPS): Deploy Microsoft LAPS or a PAM equivalent to randomise local administrator passwords on every endpoint. This eliminates pass-the-hash attacks that rely on shared local admin credentials.
  • Tiered administration model: Domain administrators should only log in to domain controllers, never to workstations or general servers. Privileged access workstations (PAWs) for high-privilege tasks prevent credential exposure on compromised endpoints.
  • Service account hygiene: Audit all service accounts. Remove SPNs from accounts that do not require them. Set strong, randomised passwords (32+ characters) and never use shared service accounts across systems.
  • Just-in-time (JIT) privilege: Implement PAM solutions that grant administrative access only for specific time windows and specific tasks, with full session recording.

Priority 4: 24/7 SOC Monitoring for East-West Anomalies

Lateral movement is difficult to detect with signature-based tools alone because attackers use legitimate protocols and tools. Effective detection requires behavioural analysis of internal traffic patterns — identifying anomalies like a workstation suddenly performing RDP connections to 30 servers at 2 AM, or a service account logging in from a new machine type.

A 24/7 Security Operations Centre (SOC) with SIEM capabilities and user entity behaviour analytics (UEBA) is the appropriate response capability for Indian enterprises. Key detection use cases for lateral movement include:

  • Unusual authentication patterns: accounts authenticating from multiple IPs simultaneously, or from unexpected geographic locations
  • Lateral movement indicators: SMB scanning, PsExec execution, WMI remote process creation to multiple hosts
  • Kerberoasting indicators: unusual Kerberos TGS requests for service account tickets, especially with RC4 encryption
  • BloodHound/SharpHound enumeration: LDAP queries characteristic of Active Directory enumeration tools
  • Credential dumping indicators: LSASS process access events from non-standard processes
  • Unusual data staging: large file copies to temporary locations or unusual compression activity preceding exfiltration

Priority 5: Endpoint Detection and Response (EDR)

Modern EDR solutions provide process-level visibility on endpoints, enabling detection of living-off-the-land techniques that perimeter tools miss entirely. Look for solutions that provide:

  • Process creation monitoring with parent-child relationship analysis
  • Memory protection and credential access detection (LSASS protection)
  • Behavioural detection rules for known lateral movement tooling (Mimikatz, Cobalt Strike, BloodHound)
  • Automated isolation capability — the ability to quarantine a compromised endpoint within seconds of detection, before the attacker moves further

The CERT-In Angle: Lateral Movement and India’s Mandatory Reporting Obligations

India’s CERT-In directive (April 2022) requires organisations to report cybersecurity incidents — including unauthorised network access — within six hours of becoming aware of the incident. Lateral movement attacks complicate this obligation in two important ways:

First, if your detection capability is weak, you may not become aware of a lateral movement campaign until it culminates in ransomware or data theft — by which point the attacker has been active for weeks or months. The six-hour clock starts from awareness, but late awareness does not eliminate liability under DPDP Act provisions.

Second, scope determination is difficult. Establishing which systems were accessed during a lateral movement campaign requires comprehensive logging of internal authentication events, network connections, and process execution — exactly the data that many Indian enterprises do not collect from internal systems. Incident responders who cannot demonstrate the scope of access may need to notify for all systems the attacker could potentially have reached, triggering broader regulatory consequences.

Proactive investment in internal monitoring — SIEM ingesting logs from domain controllers, endpoints, and internal network devices — is therefore both a security and a compliance investment.

Lateral Movement Detection Checklist for Indian Enterprises

Use this checklist to assess your current posture:

  • ☐ Internal network segmentation enforced with NGFW policies between at least 4 distinct zones
  • ☐ Local administrator passwords randomised via LAPS or PAM on all Windows endpoints
  • ☐ Domain administrator accounts restricted from logging into workstations/general servers
  • ☐ Kerberoastable accounts (SPNs with RC4) audited and remediated
  • ☐ SIEM ingesting Windows Security Event Logs (4624, 4625, 4648, 4768, 4769, 4776) from all DCs
  • ☐ SMB and RDP connections monitored for anomalous lateral movement patterns
  • ☐ EDR deployed on all endpoints with process-level telemetry enabled
  • ☐ LSASS protection enabled (Windows Credential Guard or EDR LSASS protection)
  • ☐ 24/7 SOC capability to investigate lateral movement alerts outside business hours
  • ☐ Network flow data (NetFlow/IPFIX) collected from internal switches/routers for east-west visibility
  • ☐ Incident response runbook specifically covering lateral movement scenarios and CERT-In notification triggers

How PJ Networks Helps Indian Enterprises Stop Lateral Movement

PJ Networks delivers the integrated capabilities Indian enterprises need to detect and contain lateral movement before attackers reach their most valuable assets:

FortiGate Internal Segmentation: Our team designs and deploys FortiGate NGFW-based internal segmentation architectures that enforce east-west traffic policies with full application-layer inspection. We work with your network team to define segmentation zones appropriate for your business and implement policies that limit lateral movement paths without disrupting legitimate operations.

24/7 NOC and SOC Services: Our around-the-clock Security Operations Centre monitors your environment for lateral movement indicators — unusual authentication patterns, credential dumping attempts, anomalous east-west traffic, and living-off-the-land technique signatures. When we detect suspicious activity, our analysts investigate and escalate immediately, regardless of the time of day or day of the week.

ZTNA Implementation: We design and deploy Zero Trust Network Access architectures that enforce identity and device verification for every access request to internal applications — eliminating the implicit trust that makes lateral movement so effective in traditional network environments.

CERT-In Compliance Readiness: We help your team build the logging, detection, and response capabilities needed to meet CERT-In’s 6-hour reporting requirement — including defining incident scope rapidly and accurately when lateral movement is detected.

If you are concerned that your network segmentation, credential hygiene, or internal monitoring may not be adequate to detect and contain a lateral movement campaign, PJ Networks offers a complimentary security posture discussion for Indian enterprise IT and security leaders. Contact us to understand where your gaps are — before an attacker finds them first.

Leave a Reply

Your email address will not be published. Required fields are marked *