Lateral Movement Identification in Cross-Cloud Deployment

In the cloud computing era, cross-cloud deployments enable organizations to operate across multiple autonomous cloud platforms, offering advantages such as resilience, cost and performance optimization. However, lateral movement attacks, which are critical in the progression of Advanced Persistent Threats (APTs), pose significant challenges in this environment. This paper proposes a Lateral Movement Identification (LMD) system to identify lateral movement attacks in cross-cloud containerized environments. The LMD system utilizes Dynamic Information Flow Tracking (DIFT) and extended Berkeley Packet Filter (eBPF) sandboxes to monitor and associate network traffic within container host kernel without kernel modification. Our experiments validate the efficiency of the LMD system in tracking ingress and egress traffic, differentiating between multiple simultaneous connections, and maintaining minimal performance overhead.