Azure Advanced Threat Protection (Azure ATP) provides invaluable insights on identity configurations and suggested security best-practices across the enterprise. A key component of Azure ATP’s insights is Lateral Movement Paths or LMPs. Azure ATP LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within a cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts towards domain dominance. Azure ATP LMPs provide easy to interpret, direct visual guidance on your most vulnerable sensitive accounts, assists in helping you mitigate and close access for potential attacker domain dominance.
Lateral movement attacks, using non-sensitive accounts to gain access to sensitive accounts, can be accomplished through many different techniques. The most popular methods used by attackers are credential theft and Pass the Ticket. In both methods, your non-sensitive accounts are used by attackers for lateral moves by exploiting machines that share stored log-in credentials in accounts, groups and machines with your sensitive accounts.
Where can you find Azure ATP LMPs?
Every computer or user profile discovered by Azure ATP has a Lateral movement paths tab.
The LMP tab provides different information depending on sensitivity of the entity:
- Sensitive users – potential LMP(s) leading to this user are shown.
- Non-sensitive users and computers – potential LMP(s) the entity is related to are shown.
When you click the tab, Azure ATP displays the most recently discovered LMP. Each potential LMP is saved for 48 hours following discovery. You can view older LMPs by clicking on view a different date.
V2.56 of Azure ATP adds two additional LMP capabilities. Discover when potential LMPs were identified and where.