Lateral Movement Detection

By Jeet Dutta / Director of Data Science at Adlumin, Inc. 

Lateral movement is a type of cyberattack where the attacker first gains access to a single component in a network and then proliferates their reach across the network to steal data or execute other malicious actions. The initial and subsequent access to various systems is achieved via stolen credentials. The attacker maintains a low profile post the initial breach, moving between systems through authenticated access, biding their time until they encounter data or systems they have in mind as targets. These attacks are difficult to detect while in progress because the pattern of credential acquisition and access tends to vary, and they do not generate much by way of obviously suspicious network traffic. The losses can be heavy for the network under attack.

Adlumin’s Data Science team has developed a machine learning algorithm for lateral movement detection, using techniques adapted from network graph theory. When an attacker moves laterally on your network, they are likely to leave a trace of access events. Adlumin’s lateral movement detection model learns the normal patterns of access on your network and alerts you when a privileged user’s behavior deviates significantly from that baseline. Machines associated with anomalous behavior are flagged, and the associated user’s behavior for the day is summarized in the detection to help security analysts further investigate.

Adlumin’s approach is host-based simply because lateral movement concerns accesses involving multiple hosts. While the detections highlight individual hosts as anomalous, the objective is to draw attention to the access events themselves, which is facilitated by the user interface Adlumin provides with this and other detections.

Our data science team continues to explore various unsupervised techniques, such as embedding user-host information in vector space and subsequently using clustering methods to flag unusual access patterns. Adlumin’s current graph-based detection provides a robust baseline with a low false-positive count and a good performance against known adversarial logins, against which other approaches can be evaluated.

The critical requirement of the graph-based approach is to map out every user’s daily login behavior over several days. The user’s history is represented as a collection of daily login graphs where each daily graph has:

  1. Vertices representing hosts and systems
  2. Directed edges between the vertices for representing logins between those systems

Based on this construction, the following detection attributes are worth noting:

  1. This algorithm only monitors accounts with privileged access since stolen privileged credentials can cause maximal damage.
  2. Since a lateral attack is likely to involve machines that a given user rarely accesses, a detection is only triggered if the anomalous pattern of behavior involves rare or “novel” machines. The purpose is to avoid false positives.
  3. Once the graph-theoretic metrics are extracted from each vertex in each graph, all vertices are represented individually as vectors in high-dimensional feature space. Vertices associated with outliers in this feature space are flagged as anomalous. Since each vertex represents a unique host, the anomaly score is ultimately assigned to individual machines. Machines with “high” anomaly scores relative to an appropriately set baseline are flagged as suspected lateral movement attack venues.

Below is an example of a lateral movement detection, displaying two distinct anomalous patterns of access. The graph provides a visual representation of the user’s flagged behavior, and the table to the right attempts to characterize essential features of that behavior. Users of the Adlumin application can click on the graph nodes for more detailed information to further investigate the individual access events, shown in the two tables below the graph.