How AI is Used to Detect Lateral Movement
By: Zach Swartz, Senior Data Scientist
Adlumin recently flagged lateral movement incidents on a customer’s network. The detection was achieved via an AI algorithm designed to aggregate suspicious incidents until they collectively project a high-fidelity threat signal. This prevented further compromise of valuable resources, and Adlumin detection response teams advised the client on remedial action.
When a cybercriminal first gains access to a network, they often move laterally to different machines until they find what they’re looking for. This movement can usually be traced using Windows access-event logs. However, detecting this behavior automatically amongst the enormous corpus of access events can be extremely difficult, especially when it involves privileged users with network-wide access. This is where Adlumin AI comes into play.
A machine-learned algorithm assigns an anomaly score to each successful logon event that occurs on an Adlumin customer’s machine. Anomalous logon events are then aggregated to form access graphs, which are subsequently assessed for attack signatures. For example, many anomalous logon events from a single user on a single machine may indicate that an attacker is attempting to gain access to network share drives or performing scanning-like behavior to gain a foothold elsewhere on the network. Below is an example of a penetration test detected on a customer network where the user attempted to access 15 separate machines.
This “one-to-many” behavior is a common aggressive tactic that Adlumin AI targets explicitly and has been essential in discovering and mitigating network breaches.
An Adlumin customer recently received multiple rule-based alerts concerning SSH and FTP connections to a foreign country, along with three lateral movement detections associated with an admin account exhibiting the above mentioned ” one-to-many ” behavior. The attacker accessed roughly 30 hosts across the network and copied several documents. It appears that data exfiltration was attempted but unsuccessful, and due to the quick response from the Adlumin MDR team and the customer, the situation was contained, and damage was minimized. The combination of rule-based and AI-powered detections allowed Adlumin and the customer to promptly characterize and address the issue to the fullest extent possible.
Adlumin Data Science continuously develops more robust and holistic solutions for automated defense against network intrusion and data exfiltration. The incident captured here highlights our core principle of combining AI, domain knowledge, and detection response expertise.
Illuminate Threats and Eliminate Risks
Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.