Given a large enterprise network of devices and their authentication history (e.g., device logons), how can we quantify network vulnerability to lateral attack and identify at-risk devices? We systematically address these problems through D 2 M , the first framework that models lateral attacks on enterprise networks using multiple attack strategies developed with researchers, engineers, and threat hunters in the Microsoft Defender Advanced Threat Protection group. These strategies integrate real-world adversarial actions (e.g., privilege escalation) to generate attack paths: a series of compromised machines. Leveraging these attack paths and a novel Monte-Carlo method, we formulate network vulnerability as a probabilistic function of the network topology, distribution of access credentials and initial penetration point. To identify machines at risk to lateral attack, we propose a suite of five fast graph mining techniques, including a novel technique called AnomalyShield inspired by node immunization research. Using three real-world authentication graphs from Microsoft and Los Alamos National Laboratory (up to 223,399 authentications), we report the first experimental results on network vulnerability to lateral attack, demonstrating D 2 M 's unique potential to empower IT admins to develop robust user access credential policies.
PenetrateExplore Compromise
Analyst Tests Attack Strategy1 1 2 1 2 3 User Admin Domain Controller
Build Authentication Graph 3. Vulnerability Analysis
Monitored
Our ContributionsWe propose D 2 M , the first framework that systematically quantifies network vulnerability to lateral attack and identifies at-risk devices (Fig. 1).Our major contributions include:• Attack Strategies D 2 M enables security researchers to integrate their crucial domain knowledge from studying prior attacks in the form of attack strategies. We developed three attack strategies by actively engaging researchers, engineers and threat