How to defend enterprise networks against lateral attacks?

Attack campaigns from criminal organizations and nation state actors are quickly becoming one of the most powerful forms of disruption. In 2016 alone, malicious cyber activities recently cost the U.S. economy $109 billion. These cyber attacks are often highly sophisticated, targeting governments and large-scale enterprises to interrupt critical services and steal intellectual property.

Unfortunately, once an attacker has compromised a single credential for an enterprise machine, the whole network becomes vulnerable to lateral attack movements, allowing the adversary to eventually gain control of the network (i.e., escalating privileges via credential stealing). As seen in Figure 1, lateral attacks typically follow a three-stage kill chain(i) infection of a networked computer, (ii) exploration of the network and escalation of privileges, and (iii) exfiltration of data.

Figure 1. Lateral attack on network. Steps: 1. Network is penetrated; 2-4. Attacker explores the network and escalates privileges; 5. Attacker compromises the domain controller, gaining control of the network.

Lateral Attack Catch-22

Despite their prevalence, observing and analyzing lateral attacks is challenging for multiple reasons: (1) lateral attacks are still relatively sparse compared to the unsuccessful attack; (2) attack ground-truth is hard to ascertain, and generally partially uncovered through investigation; (3) incident reports are frequently withheld from the public for security and privacy concerns;
and (4) due to the fact that the adversary already has a valid credential for the network (e.g., gained through phishing), attackers can operate as a legitimate user.

While real attack data does exist — due to the above challenges, it is rarely fully visible, or accessible, making the study of a “complete” attack highly problematic. This makes developing defenses against lateral attacks extremely difficult.

What can we do about it?

Working with researchers at Georgia Tech’s Polo Club of Data Science and Microsoft’s Advanced Threat Protection team, we developed D²M, the first framework that systematically quantifies network vulnerability to lateral attack and identifies at-risk devices.

D²M is composed of 3 core components (see Figure 2 for overview):

  1. Lateral attack Modeling. We develop 3 attack strategies by engaging researchers, engineers and threat hunters in Microsoft’s Advanced Threat Protection group, whose expertise lies in tracking down adversaries in a post-breach environment (once adversary is on network). Each strategy integrates real-world adversarial actions (e.g., privilege escalation), generating attack paths consisting of a series of compromised machines (Figure 2.2).
  2. Network Vulnerability Analysis. We formulate a novel Monte-Carlo method for lateral attack vulnerability as a probabilistic function of the network topology, distribution of access credentials and initial penetration point (Figure 2.3). This helps empower IT admins to develop robust user access credential policies and enables security researchers to study the vulnerability of a network to lateral attack.
  3. Network Defense by Identifying At-risk Machines. To identify machines at risk to lateral attack, we propose a suite of five fast graph mining techniques, including a novel technique called AnomalyShield which prioritizes machines with anomalous neighbors and high eigencentrality.

In this article, we will focus on points (1) and (2). For a detailed analysis of each point take a look at our SDM’20 paper.

Figure 2. D²M framework: 1. Builds an authentication graph from device authentication history; 2. Allows security analysts to test different attack strategies to study network vulnerability; and 3. Identifies at-risk machines to monitor, preempting lateral attacks.

Integrating Domain Knowledge

In order to model lateral attacks, we must first convert authentication history of network devices into an authentication graph, where directed edges represent machine-machine authentications (i.e., logons) in an organization. To enhance the graph model with realistic security and attack practices, we integrate the following three components into our framework:

(1) per-machine credential caching, giving each machine in the graph a cached credential (e.g., ‘user’, ‘admin’);

(2) network hygiene to model various credential distributions on the network. Intuitively, low hygiene models a network with loose IT policies and an abundance of high-level administrator credentials. In contrast, high hygiene represents a network with strict IT policies and limited distribution of admin credentials; and

(3) domain controller modeling, by assigning the machine (node) in the network with highest PageRank the role of controlling access to network resources. This is considered most important machine, and if compromised, gives the attacker full control of the network.

We also incorporate the concept of privilege escalation by allowing the attacker to connect to a machine that is one credential level higher. For example, if the attacker has collected a “user” credential, they can connect to a machine with “user” or “admin” credentials. In practice, this is done through mining the memory of the machine to gain higher credential levels.

Modeling Lateral Attacks

An enterprise attack typically follows a kill chain, which can be distilled into three phases — (1) penetration of the network; (2) exploration of the network and escalation of privileges; and (3) exfiltration of data back to the command and control server. We model each of these three phases as follows:

  1. Network Penetration typically happens through phishing campaigns targeting organization employees or incidental exposure from employees downloading malware on high-risk websites. We model this penetration process by assuming that most compromised employees (machines)have the lowest credential level (“user”) and let the attacker randomly start on any of these machines.
  2. Exploration & Exploitation. Once an attacker is on a network, their goal is to explore the network and escalate privileges. This process begins by stealing the infected machines cached credentials, allowing them to authenticate with neighboring machines, and continues until they obtain domain admin privileges. This attack process is modeled in two ways — (1) black-box, where the attacker has no prior information on the network (i.e., normal pattern of authentications); and (2) gray-box, where the attacker has prior information on the network layout, possibly through prior reconnaissance or inside help.
  3. Exfiltration of Data. After the adversary has obtained a domain admin credential, they’re able to connect to any networked machine, freely exploring the network until they reach the domain controller. Upon accessing the domain controller, the attacker gains full control over the network. At this point the adversary can sweep the network for valuable information and exfiltrate with impunity. We leave modeling this aspect of the kill chain to future work.

Working with threat experts, we develop 3 attack strategies to model lateral attacks on enterprise networks. Below, we discuss 1 strategy RandomWalk-Explore (RWE), which assumes the attacker starts on a random “user” machine with no knowledge about the network. RWE models attacker movement across the network through a modified random walk. 85% of the time, the attacker compromises a machine uniformly at random from the set of unvisited neighboring machines (initially, this consists of the penetrated machines’ neighbors in the authentication graph). 15% of the time, the attacker randomly jumps with uniform probability to any other “user” machine in the network. This helps to model some of the usual behavior that can occur during an attack.

Lateral Attack Algorithm. We allow the attacker to randomly penetrate various points of the network with “user” credentials and then move according to one of 3 attack strategies until the domain controller is reached or there are no neighbors to visit (attack failed). Each successful run of this simulation generates an attack path, representing the sequence of machines visited, with the last node representing the domain controller. This process is repeated for multiple credential distributions to eliminate bias from a single distribution of machine credentials. An example attack path generated from can be seen in Figure 1.

Quantifying Network Vulnerability to Lateral Attack

To make data driven decisions regarding IT policy in an enterprise network, it is important to quantify the risk a network faces to lateral movement. Unfortunately, directly measuring this risk is difficult, requiring complex interactions of many unknown variables. To simplify these interactions, we propose to quantify network vulnerability to lateral attack (L) as a function of three random variables — (1) network topology (G),
(2) distribution of access credentials (d), and (3) initial point of penetration in the network (v).

Equation 1. Vulnerability score L(G) is a real number between 0 and 1, where a higher value indicates a more vulnerable network for a given network topology G.

Since the true network credential distribution is unknown, along with knowledge of the organizations IT policies (strict, loose), we model credential distributions through the use of hygiene levels h∈ H. For a given hygiene level h, we can marginalize out the dependency of the vulnerability score L to any specific distribution of credentials across machines d ∈ D. In addition, we can simulate the attacker penetrating many different points in the network allowing us to marginalize out the dependency attacker penetration point. Finally, without additional domain knowledge, we can marginalize out the dependency to hygiene level h ∈ H by assuming a each level is equally probable (h) = 1/3.

Viewing this process through the lens of Monte Carlo simulation, where in expectation we compute the graph vulnerability across many different credential distributions and penetration points, we get Equation 1 above. Intuitively, this score is saying that a network is more vulnerable if attacks are on average more successful for many credential distributions d ∈ D (d is a vector of machine credentials)and penetration points v ∈ R (where v is a penetration point out of the set of possible penetration points R). Of course, if we have knowledge about any of these variables apriori we can replace them for a more accurate vulnerability score.

We measure an attack’s success through f(), which simulates an attack using one of the three attack strategies. A value of f(G, d, v) = 1 indicates a successful attack, which we define as being able to reach the domain controller. Future work could generalize this to other targets such as high value servers.

Want to read more?

For all of the nitty-gritty details of D²M we released our paper on arXiv.

PhD student @ Georgia Tech. I work at the intersection of applied and theoretical machine learning.