Cookbook: Detecting Lateral Movement in Enterprise Networks
A complete walkthrough from raw security logs to attack chain reconstruction.
This cookbook demonstrates how to detect lateral movement - attackers pivoting from host to host across an enterprise network - using temporal graph analysis. We'll use synthetic authentication and network flow data.
The Challenge
Sophisticated attackers don't compromise one system and stop. They:
- Establish a foothold on an initial workstation
- Harvest credentials (Mimikatz, keylogging)
- Move laterally to servers with valuable data
- Escalate privileges toward domain admin
- Exfiltrate data or deploy ransomware
Each step happens after the previous one. Static analysis sees isolated events. Temporal graph analysis sees the attack chain.
What we'll detect:
- Multi-hop authentication paths (Host A → Host B → Host C)
- Unusual pivot timing (rapid sequential logins)
- Blast radius from a compromised host
The Data Model
Step 1: Load Security Log Data
We'll generate synthetic authentication logs mimicking a Windows AD environment with an embedded attack pattern.
Output:
Step 2: Build the Authentication Graph
Create a temporal graph where nodes are hosts/users and edges are authentication events.
Output:
Step 3: Detect Lateral Movement Patterns
Lateral movement creates a temporal path: A authenticates to B, then B authenticates to C, with B acting as a "pivot point."
Output:
Tuning Required: Not all pivots are malicious - administrators legitimately hop between servers. Filter by source (unusual users), timing (off-hours), or destination (sensitive systems).
Step 4: Reconstruct the Attack Chain
Once we identify a suspicious starting point, trace the full attack path forward in time.
Output:
Step 5: Calculate Blast Radius
After identifying the initial compromise, determine how many systems are at risk.
Output:
Step 6: Generate Incident Report
Compile findings into an actionable incident response report.
Summary
This cookbook demonstrated a complete lateral movement detection pipeline:
| Step | What We Did |
|---|---|
| 1. Load Data | Ingested authentication logs with timestamps |
| 2. Build Graph | Created temporal graph of host-to-host authentications |
| 3. Detect Pivots | Found hosts receiving then initiating auth in short windows |
| 4. Trace Chain | Reconstructed full attack path in chronological order |
| 5. Blast Radius | Identified all systems potentially compromised |
| 6. Generate Report | Compiled actionable incident response data |
Key temporal insights:
- Pivot detection: Requires knowing A happened before B
- Attack chain: Static graphs can't show the sequence
- Blast radius: Only includes systems reachable AFTER compromise
Next Steps
- Temporal Reachability Algorithm – Deep dive
- Platform Engineer Tutorial – Deploy real-time detection
- Network Operations Cookbook – Related use case