Scenario S-004 - Lateral movement from compromised host
| Element | Description |
|---|---|
| Scenario ID | S-004 |
| Target asset | Internal network infrastructure and connected systems |
| Threat source | External attacker or malicious insider |
| Attack vector | Use of stolen credentials or insufficient network segmentation allowing movement between systems |
| Potential impact | Compromise of multiple internal systems leading to escalation of privileges, service disruption, or data exposure |
| Likelihood | 🟨 Medium - compromised credentials and insufficient segmentation are common enablers of lateral movement |
| Impact rating | 🟥 High - multiple systems may be compromised once an attacker gains internal foothold |
| Risk rating | 🟥 High |
Mitigation:
- Enforce strong authentication policies and multi-factor authentication for privileged access.
- Implement network segmentation between infrastructure, management, and service zones.
- Restrict lateral authentication paths using role-based access control.
- Monitor authentication events and unusual internal connections through centralized logging.
- Apply the principle of least privilege across internal services.
Owners:
- Ops - network segmentation, infrastructure configuration.
- Sec - monitoring, authentication policies, detection rules.
References:
- ISO 27001 - Control 8.16 Monitoring activities.
- ISO 27001 - Control 8.20 Network security.
- ISO 27001 - Control 8.22 Segregation of networks.
- NIST CSF - PR.AC Access Control.
- NIST CSF - PR.PT Protective Technology.
- NIST CSF - DE.CM Continuous Monitoring.
- EBIOS RM - Threat scenarios involving lateral movement within internal network after host compromise.
Response actions:
- Containment - Isolate the compromised host from the internal network and block suspicious internal connections.
- Eradication - Revoke compromised credentials and identify affected systems through log analysis.
- Recovery - Restore impacted systems from trusted configurations and verify access permissions.
- Post-incident - Review segmentation policies, strengthen monitoring, and update detection rules for lateral movement.