



Most Indian enterprise security teams spend the majority of their budget and attention on perimeter defences — firewalls, antivirus, email gateways. Yet a growing body of incident-response data tells a different story: the most damaging breaches in 2025 and 2026 are not happening at the perimeter. They are happening inside the network, often weeks or months after the initial compromise, as attackers quietly move from one system to the next in search of high-value targets.
This technique — called lateral movement — is now the defining characteristic of advanced persistent threats (APTs), ransomware groups, and nation-state actors targeting Indian enterprises. Understanding it, and building controls to detect and contain it, is one of the highest-leverage investments a CISO can make today.
Lateral movement refers to the techniques attackers use to progressively move through a network after establishing an initial foothold. The attacker typically gains access through a phishing email, a vulnerable internet-facing service, or a compromised third-party credential. But that initial beachhead is rarely their target. Instead, they pivot — hopping from workstation to server to database — until they reach the systems that matter most: financial records, customer PII, intellectual property, or domain controllers that give them control of the entire Active Directory environment.
For Indian enterprises, the stakes are particularly high for several reasons:
Understanding attacker tradecraft is the first step toward building effective defences. The following techniques are consistently observed in incidents affecting Indian enterprises:
When an attacker compromises a Windows workstation, tools like Mimikatz can extract password hashes or Kerberos tickets directly from memory. These credentials can then be used to authenticate to other systems without ever knowing the plaintext password. In environments where local administrator passwords are identical across machines — a dangerously common configuration — a single compromised endpoint can give attackers access to hundreds of systems within minutes.
Attackers frequently abuse legitimate remote administration protocols — RDP (Remote Desktop Protocol), SMB (Server Message Block), WMI (Windows Management Instrumentation), and SSH — to execute commands on remote systems. Because these are legitimate services, traditional signature-based detection often misses the abuse entirely. What looks like a domain administrator running a script is actually an attacker who has hijacked that administrator’s session token.
Modern attackers increasingly avoid dropping malware files that antivirus can detect. Instead, they use tools already present on Windows systems — PowerShell, WMI, certutil, mshta, PsExec — to conduct their operations. This “living off the land” approach makes detection significantly harder, because the tools themselves are legitimate; only their behaviour, in context, reveals the attack.
In Active Directory environments, attackers can request Kerberos service tickets for accounts with Service Principal Names (SPNs), then crack those tickets offline to recover plaintext passwords. Accounts used for SQL Server, IIS, or other services are frequently configured with weak passwords and excessive privileges, making them ideal stepping stones for lateral movement.
Enterprise tools like SCCM (System Center Configuration Manager), Ansible, and remote monitoring and management (RMM) platforms are routinely abused by attackers who gain administrative access. These tools are designed to push software and commands to hundreds of systems simultaneously — exactly what an attacker needs to deploy ransomware at scale.
Lateral movement typically unfolds over days, weeks, or months — not minutes. Understanding the timeline helps prioritise controls:
“The average dwell time — the period between initial compromise and detection — in Asia-Pacific environments has historically been measured in weeks. Every day an attacker remains undetected inside your network increases the blast radius of the eventual incident.”
Defending against lateral movement requires a layered approach that assumes compromise will occur and focuses on limiting the attacker’s ability to move once inside. The following controls, implemented in priority order, form an effective defensive architecture for Indian enterprises:
The single most impactful control against lateral movement is internal network segmentation. By dividing the network into clearly defined zones — user endpoints, servers, OT/IoT systems, backup infrastructure, payment systems — and enforcing strict east-west traffic policies between zones, you dramatically limit an attacker’s ability to pivot.
A FortiGate next-generation firewall deployed as an internal segmentation firewall (ISFW) can enforce granular policies between network segments, inspect east-west traffic with deep packet inspection (DPI), and apply application-layer controls to internal traffic — not just perimeter traffic. This means even if an attacker compromises a user workstation, they cannot freely access a financial database on a different segment without traversing a policy-enforced checkpoint.
Recommended segmentation model for Indian enterprises:
Traditional VPN models grant network-level access — once connected, a user (or attacker) can reach any system on that network segment. Zero Trust Network Access (ZTNA) replaces this with application-level, identity-verified, device-posture-checked access to specific resources.
For Indian enterprises, deploying ZTNA principles for internal access — not just remote access — means that even a compromised endpoint on the network cannot automatically connect to sensitive internal applications. Every access attempt is verified against identity, device health, and contextual signals before being permitted. This dramatically constrains lateral movement even when attackers hold valid credentials.
Lateral movement depends on credentials. Eliminating the conditions that make credential theft useful is therefore a high-priority defensive action:
Lateral movement is difficult to detect with signature-based tools alone because attackers use legitimate protocols and tools. Effective detection requires behavioural analysis of internal traffic patterns — identifying anomalies like a workstation suddenly performing RDP connections to 30 servers at 2 AM, or a service account logging in from a new machine type.
A 24/7 Security Operations Centre (SOC) with SIEM capabilities and user entity behaviour analytics (UEBA) is the appropriate response capability for Indian enterprises. Key detection use cases for lateral movement include:
Modern EDR solutions provide process-level visibility on endpoints, enabling detection of living-off-the-land techniques that perimeter tools miss entirely. Look for solutions that provide:
India’s CERT-In directive (April 2022) requires organisations to report cybersecurity incidents — including unauthorised network access — within six hours of becoming aware of the incident. Lateral movement attacks complicate this obligation in two important ways:
First, if your detection capability is weak, you may not become aware of a lateral movement campaign until it culminates in ransomware or data theft — by which point the attacker has been active for weeks or months. The six-hour clock starts from awareness, but late awareness does not eliminate liability under DPDP Act provisions.
Second, scope determination is difficult. Establishing which systems were accessed during a lateral movement campaign requires comprehensive logging of internal authentication events, network connections, and process execution — exactly the data that many Indian enterprises do not collect from internal systems. Incident responders who cannot demonstrate the scope of access may need to notify for all systems the attacker could potentially have reached, triggering broader regulatory consequences.
Proactive investment in internal monitoring — SIEM ingesting logs from domain controllers, endpoints, and internal network devices — is therefore both a security and a compliance investment.
Use this checklist to assess your current posture:
PJ Networks delivers the integrated capabilities Indian enterprises need to detect and contain lateral movement before attackers reach their most valuable assets:
FortiGate Internal Segmentation: Our team designs and deploys FortiGate NGFW-based internal segmentation architectures that enforce east-west traffic policies with full application-layer inspection. We work with your network team to define segmentation zones appropriate for your business and implement policies that limit lateral movement paths without disrupting legitimate operations.
24/7 NOC and SOC Services: Our around-the-clock Security Operations Centre monitors your environment for lateral movement indicators — unusual authentication patterns, credential dumping attempts, anomalous east-west traffic, and living-off-the-land technique signatures. When we detect suspicious activity, our analysts investigate and escalate immediately, regardless of the time of day or day of the week.
ZTNA Implementation: We design and deploy Zero Trust Network Access architectures that enforce identity and device verification for every access request to internal applications — eliminating the implicit trust that makes lateral movement so effective in traditional network environments.
CERT-In Compliance Readiness: We help your team build the logging, detection, and response capabilities needed to meet CERT-In’s 6-hour reporting requirement — including defining incident scope rapidly and accurately when lateral movement is detected.
If you are concerned that your network segmentation, credential hygiene, or internal monitoring may not be adequate to detect and contain a lateral movement campaign, PJ Networks offers a complimentary security posture discussion for Indian enterprise IT and security leaders. Contact us to understand where your gaps are — before an attacker finds them first.