How to defend enterprise networks against lateral attacks?

Figure 1. Lateral attack on network. Steps: 1. Network is penetrated; 2-4. Attacker explores the network and escalates privileges; 5. Attacker compromises the domain controller, gaining control of the network.

Lateral Attack Catch-22

What can we do about it?

  1. Lateral attack Modeling. We develop 3 attack strategies by engaging researchers, engineers and threat hunters in Microsoft’s Advanced Threat Protection group, whose expertise lies in tracking down adversaries in a post-breach environment (once adversary is on network). Each strategy integrates real-world adversarial actions (e.g., privilege escalation), generating attack paths consisting of a series of compromised machines (Figure 2.2).
  2. Network Vulnerability Analysis. We formulate a novel Monte-Carlo method for lateral attack vulnerability as a probabilistic function of the network topology, distribution of access credentials and initial penetration point (Figure 2.3). This helps empower IT admins to develop robust user access credential policies and enables security researchers to study the vulnerability of a network to lateral attack.
  3. Network Defense by Identifying At-risk Machines. To identify machines at risk to lateral attack, we propose a suite of five fast graph mining techniques, including a novel technique called AnomalyShield which prioritizes machines with anomalous neighbors and high eigencentrality.
Figure 2. D²M framework: 1. Builds an authentication graph from device authentication history; 2. Allows security analysts to test different attack strategies to study network vulnerability; and 3. Identifies at-risk machines to monitor, preempting lateral attacks.

Integrating Domain Knowledge

Modeling Lateral Attacks

  1. Network Penetration typically happens through phishing campaigns targeting organization employees or incidental exposure from employees downloading malware on high-risk websites. We model this penetration process by assuming that most compromised employees (machines)have the lowest credential level (“user”) and let the attacker randomly start on any of these machines.
  2. Exploration & Exploitation. Once an attacker is on a network, their goal is to explore the network and escalate privileges. This process begins by stealing the infected machines cached credentials, allowing them to authenticate with neighboring machines, and continues until they obtain domain admin privileges. This attack process is modeled in two ways — (1) black-box, where the attacker has no prior information on the network (i.e., normal pattern of authentications); and (2) gray-box, where the attacker has prior information on the network layout, possibly through prior reconnaissance or inside help.
  3. Exfiltration of Data. After the adversary has obtained a domain admin credential, they’re able to connect to any networked machine, freely exploring the network until they reach the domain controller. Upon accessing the domain controller, the attacker gains full control over the network. At this point the adversary can sweep the network for valuable information and exfiltrate with impunity. We leave modeling this aspect of the kill chain to future work.

Quantifying Network Vulnerability to Lateral Attack

Equation 1. Vulnerability score L(G) is a real number between 0 and 1, where a higher value indicates a more vulnerable network for a given network topology G.

Want to read more?




PhD student @ Georgia Tech. I work at the intersection of applied and theoretical machine learning.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fingerprint Sensor: slight increase in 2020

JWT Key Confusion Attack: Part2

How to verify twitter on

GemUni’s Efforts on Decentralization Security

Retiring the Green Padlock

Privacy Awareness Week 2022: Data Protection as the foundation of trust — Privacy Ninja

{UPDATE} Bad Neighbours Escape Hack Free Resources Generator

The (not so) secret knowledge of hackers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Scott Freitas

Scott Freitas

PhD student @ Georgia Tech. I work at the intersection of applied and theoretical machine learning.

More from Medium

Binary Vulnerability Analysis

Learning Packet Analysis — II

Training AI to Act as an Adaptive IDS

Understanding Cyber Vulnerability Disclosure for Machine Learning