The correct answer isinternal systems authenticating to multiple hosts using SMB in a short time. This behavior is a classic indicator ofcredential-based lateral movement.
When attackers obtain valid credentials, they often move laterally by:
Accessing administrative shares (e.g., C$, ADMIN$)
Using SMB, WMI, WinRM, or RDP
Authenticating to multiple systems rapidly
Cisco Secure Network Analytics excels at identifyingeast-west traffic anomalies, which are central to lateral movement detection. A single host authenticating to many internal systems over SMB in a short time deviates strongly from normal user behavior.
Option A relates to external traffic, not lateral movement. Option C may indicate command-and-control or staging but not lateral movement. Option D aligns more with beaconing behavior.
This technique aligns withMITRE ATT&CK – Lateral Movementand is explicitly covered in theCBRTHD blueprintunder network-based threat hunting.
Thus,Option Bis the correct answer.
