Certified: The GIAC GISF Audio Course

In this episode, we’re going to focus on what attackers often do after they have a foothold, some credentials, and maybe even higher privileges: they start exploring your environment and moving from one system to another. This stage can feel confusing to beginners because it is less about a single dramatic event and more about a series of small steps that look like normal activity when viewed in isolation. Internal discovery is the attacker learning what exists inside the network, like which systems matter, where data is stored, and which accounts have power. Lateral movement is the attacker using that knowledge to move from their initial entry point to other systems, ideally toward more valuable targets. These techniques matter because they turn a contained incident into an organization-wide problem. If you learn to recognize discovery and movement patterns early, you have a much better chance of stopping an attacker before they reach critical systems or stage large-scale data theft.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

Internal discovery is basically reconnaissance, but done from inside the environment instead of from the internet. Once an attacker is inside, they have different questions than they did at the perimeter. They want to know what the network looks like from the inside, which machines are reachable, and which services are running. They want to identify where identity systems live, where backups are stored, and where sensitive data is likely to be. They also want to learn which accounts have elevated privileges and which machines are managed differently, like servers versus workstations. Beginners often assume discovery is always loud, but it can be quiet. An attacker can gather a lot of information simply by observing what the compromised user normally accesses, reading configuration files, and looking at cached information. Other times, discovery is noisier, involving broader scanning or querying many systems. The key is that discovery is purposeful information gathering that prepares the next move.

A helpful way to understand discovery is to think of the attacker building a map. When you first walk into a large building, you might start by reading signs, looking at directories, and noticing which doors are locked. Attackers do something similar with digital environments. They look for naming patterns that reveal which servers do what, like file servers, database servers, or authentication servers. They look for shared drives or internal portals that point to important resources. They look for organizational clues in email, calendars, and collaboration tools that reveal projects, key people, and common workflows. None of this requires complex hacking. It requires time, curiosity, and access. That is why discovery is often paired with credential theft and privilege escalation. The more access an attacker has, the more complete their map becomes, and the easier it is to choose the next target.

Now let’s define lateral movement more clearly. Lateral movement is the act of moving from one system to another within an environment, typically by using legitimate remote access mechanisms, stolen credentials, or trusted relationships between systems. The key idea is that the attacker is no longer just controlling their original foothold. They are expanding their presence. They might access a file server from a compromised workstation, then access a database server from the file server, and then access a domain controller from the database server, each step increasing their reach. Attackers do this because valuable assets are often segmented or protected. The initial foothold is usually not the crown jewel. Lateral movement is how attackers reach the systems that matter most.

Beginners often ask why attackers do not simply attack the most valuable system directly from the start. The answer is that direct access is often harder, more monitored, or not possible from outside. A user laptop is easier to compromise than a core server, and once inside, the attacker can approach high-value targets through internal pathways. Internal pathways may be trusted more than external ones. For example, certain management protocols might be allowed internally but blocked from the internet. Certain servers might accept connections only from inside the network. Once an attacker has an internal foothold, they can take advantage of these internal trust assumptions. This is why internal security controls matter as much as perimeter controls. A secure environment is not just a strong front door; it is also locked doors inside, plus visibility into movement between rooms.

Tracing lateral movement as a defender means recognizing patterns that suggest an account or device is being used to access other systems in unusual ways. One common clue is unexpected remote logins. If a user account that normally logs into one workstation suddenly logs into multiple servers, that is suspicious. Another clue is new connections between systems that do not normally talk to each other. For example, a workstation initiating connections to many internal servers could indicate scanning or probing. A third clue is a burst of authentication activity across multiple systems in a short period of time. Attackers often try a credential in multiple places to see where it works. They may also attempt to access administrative shares or remote services. The details will vary, but the conceptual pattern is consistent: lateral movement creates new relationships and new access paths, and those can be detected when you understand what normal communication and login behavior looks like.

Internal discovery can also be traced through patterns, even without deep technical details. Discovery often involves a spike in requests for information, such as querying directory services, listing shared resources, or enumerating systems. As a beginner, focus on the intent: the attacker is trying to answer questions about the environment. That intent often leads to repeated access to information sources that normal users rarely touch. For example, most employees do not repeatedly query lists of servers or accounts. Most employees do not systematically attempt to access multiple file shares in sequence. Most employees do not repeatedly try to access administrative interfaces across many systems. These behaviors stand out especially when they occur at unusual times or from devices that are not normally used for administrative work. Detection often comes from combining small signals into a larger pattern rather than relying on a single smoking gun.

A common misconception is that lateral movement always uses malware that jumps automatically from machine to machine. Some attacks do involve self-propagation, but many advanced intrusions rely on valid credentials and built-in remote access features. This is sometimes described as living off the land, which means using tools and pathways that already exist in the environment. When an attacker uses normal remote access mechanisms, their activity can blend into legitimate administrative traffic. This makes context and correlation essential. If you see a remote login, you need to know whether that user normally logs into that system, whether the login time is normal, and whether the source device is expected. It is the combination of factors that reveals suspicious behavior. This is also why least privilege and strong identity controls matter. If credentials have limited reach, lateral movement becomes harder.

Another important idea for beginners is that attackers often stage their movement, meaning they create intermediate positions that help them reach the next target. They might compromise a workstation, then compromise a server that has broader network access, then compromise an identity system that can grant access widely. Each step is chosen because it increases options. This staged movement can be detected if you watch for changes in privilege and access patterns over time. For example, a user account might begin with access to its normal resources, then suddenly access a server it never used before, then appear to perform administrative actions. That progression suggests the attacker is expanding capabilities. Defenders can trace this progression by building timelines that connect authentication events, remote session events, and network connections. Even if each event looks minor, the sequence can reveal intent.

To understand how defenders piece this together, it helps to revisit layered visibility. E D R can reveal local clues on a system, such as a user account launching remote connection processes or accessing credential material. N D R can reveal network clues, such as unusual connection patterns between internal systems or unexpected data flows. Identity logs can reveal authentication clues, such as an account being used on multiple hosts. A SIM can correlate these to highlight movement paths, like a chain of logins from one system to another. When these layers agree, confidence increases. If only one layer shows a signal, it may still be important, but correlation improves clarity. Beginners should focus on the concept that lateral movement is a multi-system story, and multi-system stories are best detected by combining endpoint, network, and identity evidence.

Lateral movement and discovery are also strongly connected to the concept of segmentation. Segmentation means dividing a network into zones so that systems do not all have free access to each other. If segmentation is strong, lateral movement becomes harder because the attacker’s compromised device cannot easily reach other zones. But segmentation is not only about blocking. It is also about visibility. When communication between zones is restricted, unusual cross-zone access attempts become more noticeable. If a workstation suddenly tries to connect to a critical server zone, that is a strong signal that something is off. Even in environments with limited segmentation, watching for unusual new connections between systems can still reveal movement. The beginner lesson is that lateral movement thrives in flat, highly trusted internal networks, and it struggles when internal pathways are limited and monitored.

By the end of this lesson, you should be able to explain internal discovery as the attacker building a map from inside the environment and lateral movement as the attacker using credentials and trust relationships to move between systems toward valuable targets. You should recognize conceptual detection clues like unusual remote logins, new system-to-system connections, bursts of authentication attempts, and systematic access to internal resources that normal users rarely enumerate. Most importantly, you should see that these techniques are about sequences and relationships, not single events. The decision rule to remember is this: when you suspect a foothold, immediately look for signs of internal mapping and new access paths, and treat unusual chains of authentication and communication between systems as high-priority clues of lateral movement in progress.