How to detect and contain evasive lateral threats in hybrid cloud environments

Modern attackers bypass borders and spread silently. Strengthened internal observability helps leaders detect and contain them early. Find out how…

Imagine discovering that burglars have been secretly living in your house, wandering from room to room, helping themselves to your food, and subtly siphoning off small possessions, without you ever noticing. This act of “phrogging” can persist for weeks, even months.

Now, translate this to your enterprise network. Most security teams focus on locking the doors and watching who comes in and out: the North–South traffic crossing the perimeter. The problem is, once an intruder goes past your defenses and gets inside, they can move quietly across servers, workloads, and containers along the network’s hallways: the East–West lanes (i.e., lateral traffic).

As cloud environments and microservices proliferate, internal workload have grown significantly and often exceed inbound/outbound traffic volumes. This shift increases the risk of lateral movement by attackers if internal visibility is limited.

A growing regional risk landscape

Regionally, surveys and statistics suggest that sophisticated attacks have been increasingly exploiting East-West blind spots. A stark example of this kind of phrogging is the SingHealth Data Breach of 2018. Another case occurred in the Medibank Data Breach, Australia (2022).

Once inside a government cloud, attackers moved laterally across systems, infecting machines with malware, deleting files, and disabling services, underscoring the severe threat posed by lateral movement.

Compounding these risks are third-party vulnerabilities, with a high proportion of victimized firms unable to detect compromises originating from their vendors.

Why conventional telemetry falls short
Security operations centers have long relied heavily on telemetry for insights into system activity and performance. These signals are essential, but also fragile.

Logs can be deleted or never created
Agents can be disabled
The sheer volume of events from containerized environments can drown out real threats.

Attackers know this, and so they use legitimate admin tools, short bursts of encrypted traffic, and carefully timed data exfiltration to evade detection. Unlike logs, which are often manipulated or deleted after compromise, network packet captures — especially when collected out-of-band or from trusted points in the network — are generally harder to tamper with. (Editor’s note: Determined attackers with sufficient infrastructure access can still disrupt or obfuscate even network traffic, so no source of telemetry is completely immune.)

This is the principle behind strong system observability: complementing traditional signals with real-time, unfiltered data from across all data systems to give security and performance teams a clearer, more complete picture of what is going on.

Guarding against lateral movement
Today’s most dangerous threats range from ransomware to advanced persistent threats, which unfold over time and are often executed by well-resourced (and patient) attackers. They move laterally across systems and exploit blind spots between workloads, clouds, and containers to evade detection.

The urgent priority is to relook network observability and harden it:

Begin by capturing internal traffic, from virtual machines, cloud environments, and containers, and feeding it into a unified pipeline.
This pipeline filters out noise, de-duplicates packets, and adds context; turning huge amounts of raw data into focused, actionable intelligence without sacrificing forensic detail.
A major barrier to this visibility used to be encryption, which often hides malicious activity. However, modern security solutions now decrypt traffic in transit for inspection and re-encrypt it before delivery, uncovering hidden threats without compromising privacy or overwhelming security tools.
Armed with this enriched dataset, security teams can detect low-and-slow lateral access, suspicious file movements, or unusual spikes in outbound encrypted traffic that may be missed with traditional tools and team skillsets.
This deeper visibility also transforms incident response. Teams can trace the path of an attack across internal systems, enabling faster containment and reducing dwell time.

Most importantly, strengthened observability of lateral traffic operationalizes Zero Trust. It validates segmentation policies, detects misconfigurations, and closes internal blind spots.

Locking the front door is insufficient now
With strengthened observability turning on the lights everywhere data moves, the intruder’s advantage will be negated, including encrypted traffic where malicious activity is often hidden.

In doing this, organizations can detect threats earlier, respond faster, and operate more precisely.

It building and reinforcing a resilient security posture, true safety is not just about locking the front door: it is about knowing what is happening in every room at all times.