Lateral Movement Detection Using Distributed Data Fusion

Fawaz, Ahmed; Bohara, Atul; Cheh, Carmen; Sanders, William H.

doi:10.1109/srds.2016.014

Cited by 21 publications

(10 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The problem is that expert attackers can easily evade similar defensive schemes by acting differently from the expected model. The detection algorithm proposed by Fawaz et al [29] requires analyses of huge amounts of host-based logs, which are hard to collect in large organization and may be easily altered by attackers because we remark that they control the hosts of the pivoting tunnel. Unlike these proposals, we consider network flows because they are easier to collect and store; moreover, our analysis requires less processing costs than investigations carried out on raw traffic data [20].…”

Section: Related Workmentioning

confidence: 99%

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Pierazzi

Colajanni

Marchetti

2020

IEEE Trans. Emerg. Topics Comput.

View full text Add to dashboard Cite

Several advanced cyber attacks adopt the technique of "pivoting" through which attackers create a command propagation tunnel through two or more hosts in order to reach their final target. Identifying such malicious activities is one of the most tough research problems because of several challenges: command propagation is a rare event that cannot be detected through signatures, the huge amount of internal communications facilitates attackers evasion, timely pivoting discovery is computationally demanding. This paper describes the first pivoting detection algorithm that is based on network flows analyses, does not rely on any a-priori assumption on protocols and hosts, and leverages an original problem formalization in terms of temporal graph analytics. We also introduce a prioritization algorithm that ranks the detected paths on the basis of a threat score thus letting security analysts investigate just the most suspicious pivoting tunnels. Feasibility and effectiveness of our proposal are assessed through a broad set of experiments that demonstrate its higher accuracy and performance against related algorithms

show abstract

Section: Related Workmentioning

confidence: 99%

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Pierazzi

Colajanni

Marchetti

2020

IEEE Trans. Emerg. Topics Comput.

View full text Add to dashboard Cite

show abstract

“…In this work, we considered the threat due to lateral movement by an attacker. Advanced Persistent Threats (APT) [17] are severe and long-lasting cyber attacks, where lateral movement is an attack phase in which the attacker moves from the compromised devices to other devices [18] [19]. APT can be defined as the theft of intellectual property or espionage as opposed to achieving immediate financial gain and are prolonged, stealthy attacks [20] [21] .…”

Section: B Threat Modelmentioning

confidence: 99%

Automated Microsegmentation for Lateral Movement Prevention in Industrial Internet of Things (IIoT)

Arifeen

Petrovski

2021

2021 14th International Conference on Security of Information and Networks (SIN)

View full text Add to dashboard Cite

“…Another important distinction is that this work uses real-world enterprise authentication graphs, while most prior work has not. [14,16,19,7]. Latte [14], a graph based detection framework, discovers potential lateral movement in a network using forensic analysis of known infected computers.…”

Section: Background and Our Differencesmentioning

confidence: 99%

D²M: Dynamic Defense and Modeling of Adversarial Movement in Networks

Freitas¹,

Wicker²,

Chau³

et al. 2020

Proceedings of the 2020 SIAM International Conference on Data Mining

View full text Add to dashboard Cite

Given a large enterprise network of devices and their authentication history (e.g., device logons), how can we quantify network vulnerability to lateral attack and identify at-risk devices? We systematically address these problems through D 2 M , the first framework that models lateral attacks on enterprise networks using multiple attack strategies developed with researchers, engineers, and threat hunters in the Microsoft Defender Advanced Threat Protection group. These strategies integrate real-world adversarial actions (e.g., privilege escalation) to generate attack paths: a series of compromised machines. Leveraging these attack paths and a novel Monte-Carlo method, we formulate network vulnerability as a probabilistic function of the network topology, distribution of access credentials and initial penetration point. To identify machines at risk to lateral attack, we propose a suite of five fast graph mining techniques, including a novel technique called AnomalyShield inspired by node immunization research. Using three real-world authentication graphs from Microsoft and Los Alamos National Laboratory (up to 223,399 authentications), we report the first experimental results on network vulnerability to lateral attack, demonstrating D 2 M 's unique potential to empower IT admins to develop robust user access credential policies. PenetrateExplore Compromise Analyst Tests Attack Strategy1 1 2 1 2 3 User Admin Domain Controller Build Authentication Graph 3. Vulnerability Analysis Monitored Our ContributionsWe propose D 2 M , the first framework that systematically quantifies network vulnerability to lateral attack and identifies at-risk devices (Fig. 1).Our major contributions include:• Attack Strategies D 2 M enables security researchers to integrate their crucial domain knowledge from studying prior attacks in the form of attack strategies. We developed three attack strategies by actively engaging researchers, engineers and threat

show abstract

Lateral Movement Detection Using Distributed Data Fusion

Cited by 21 publications

References 9 publications

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Automated Microsegmentation for Lateral Movement Prevention in Industrial Internet of Things (IIoT)

D²M: Dynamic Defense and Modeling of Adversarial Movement in Networks

Contact Info

Product

Resources

About

Lateral Movement Detection Using Distributed Data Fusion

Cited by 21 publications

References 9 publications

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Automated Microsegmentation for Lateral Movement Prevention in Industrial Internet of Things (IIoT)

D2M: Dynamic Defense and Modeling of Adversarial Movement in Networks

Contact Info

Product

Resources

About

D²M: Dynamic Defense and Modeling of Adversarial Movement in Networks