Lateral Movement Testing

Step 1: Plan the lateral movement test

You have the connectivity matrix from Unit 2 (before segmentation) and the segmentation design from Unit 3 (the expected outcome). The lateral movement test verifies that the architecture holds under realistic attack conditions -- not just port scans but actual exploitation attempts.

Plan the test sequence. You need to test at least five paths:

1. Tenant Wi-Fi to BMS zone -- the critical path the insurance company flagged
2. Tenant Wi-Fi to access control zone -- compromised tenant device to door locks
3. CCTV zone to access control zone -- compromised surveillance to physical access
4. CCTV zone to BMS zone -- compromised surveillance to building management
5. Management zone to all zones -- the legitimate exception that should work

For each path: what technique will you use? What does success look like? What does failure look like? Planning the test before executing it means you know what to expect and can identify anomalies.

Step 2: Test tenant-to-BMS lateral movement

This is the path that started the entire engagement. The insurance company said tenant Wi-Fi should not reach building management systems.

From the tenant-wifi-1 container, attempt to establish a connection to the BMS. Use the techniques from P4 -- Metasploit, direct connection attempts, service probing. The segmentation should block all of these.

If Metasploit cannot establish a session because the network path is segmented, the segmentation works for this path. The same lateral movement techniques that succeeded on unsegmented networks in P4 fail against your architecture.

If the connection succeeds despite the segmentation, you have found a gap. Investigate: is the container still on the default bridge network? Did Docker's iptables management override your firewall rules? Is there a route through the shared fiber connection?

Step 3: Test CCTV-to-access-control lateral movement

The surveillance zone and the access control zone are both high-trust zones, but they serve different functions. A compromised camera system should not be able to unlock doors.

From the cctv-manager container, attempt to reach the access-control container. Test both direct port access and service-level interaction. The zones should be isolated -- CCTV and access control are separate zones with no allowed traffic between them.

Repeat for CCTV to BMS. These cross-zone paths should all be blocked.

Step 4: Test management zone access

The management zone is the exception. It needs to reach all other zones for monitoring and administration -- but only on specific ports for specific purposes.

From the Grafana container (management zone), test connectivity to each zone. The monitoring ports should be reachable. Non-monitoring ports should be blocked. Management access does not mean unrestricted access -- it means access to management functions only.

If management can reach every port on every container, the management zone firewall rules are too permissive. Restrict to the specific ports needed for Alloy log collection, Grafana data sources, and administrative access.

Step 5: Document results and remediate gaps

For each path tested, document:

• What was attempted
• What happened (blocked, allowed, partial access)
• Whether the result matches the segmentation design
• If a gap: what caused it and what was done to fix it

If you found gaps, remediate them now. Update the Docker network configuration or firewall rules, then re-test the specific path to confirm the fix works.

Check the detection layer alongside the prevention layer. The Sigma rules from Unit 4 should have fired on every blocked lateral movement attempt. Open Grafana and verify: do you see detection alerts corresponding to each of your test attempts?

If the firewall blocked the attempt but no detection alert fired, the detection layer has a gap. If both the firewall blocked it and the detection alert fired, both layers are working.