Mapping Stealthy Lateral Movement in Hybrid Clouds
Our purple team identified a series of lateral movement behaviors inside a hybrid cloud estate that bypassed telemetry correlation. This briefing outlines the detection logic that restored visibility.
Attackers weaponised legitimate orchestration tokens to pivot between workloads that shared a federated identity provider. These tokens exhibited benign metadata yet enabled privilege escalation through idle refresh grants. By blending in with routine CI/CD traffic the adversary avoided rate-based alerts and traditional anomaly detection.
We constructed a heuristic-based approach leveraging graph relationships, token minting cadence, and host identity drift to highlight anomalous pathing. Combining VPC flow logs, identity auditing, and container runtime events provided the multi-dimensional context necessary for containment.
Detection Highlights
- Cross-account token usage visualised through relationship graphs.
- Ephemeral workload fingerprinting to identify mismatched labels and roles.
- Just-in-time interdiction playbooks enforced through automated conditional access.
Following deployment of the enhanced hunting pack, the blue team reduced time-to-detection from hours to minutes. Continuous replay of adversary tradecraft ensures defenders stay ahead of evolved techniques.