How to defend enterprise networks against lateral attacks?

Figure 1. Lateral attack on network. Steps: 1. Network is penetrated; 2-4. Attacker explores the network and escalates privileges; 5. Attacker compromises the domain controller, gaining control of the network.

Lateral Attack Catch-22

Despite their prevalence, observing and analyzing lateral attacks is challenging for multiple reasons: (1) lateral attacks are still relatively sparse compared to the unsuccessful attack; (2) attack ground-truth is hard to ascertain, and generally partially uncovered through investigation; (3) incident reports are frequently withheld from the public for security and privacy concerns;
and (4) due to the fact that the adversary already has a valid credential for the network (e.g., gained through phishing), attackers can operate as a legitimate user.

What can we do about it?

Working with researchers at Georgia Tech’s Polo Club of Data Science and Microsoft’s Advanced Threat Protection team, we developed D²M, the first framework that systematically quantifies network vulnerability to lateral attack and identifies at-risk devices.

  1. Lateral attack Modeling. We develop 3 attack strategies by engaging researchers, engineers and threat hunters in Microsoft’s Advanced Threat Protection group, whose expertise lies in tracking down adversaries in a post-breach environment (once adversary is on network). Each strategy integrates real-world adversarial actions (e.g., privilege escalation), generating attack paths consisting of a series of compromised machines (Figure 2.2).
  2. Network Vulnerability Analysis. We formulate a novel Monte-Carlo method for lateral attack vulnerability as a probabilistic function of the network topology, distribution of access credentials and initial penetration point (Figure 2.3). This helps empower IT admins to develop robust user access credential policies and enables security researchers to study the vulnerability of a network to lateral attack.
  3. Network Defense by Identifying At-risk Machines. To identify machines at risk to lateral attack, we propose a suite of five fast graph mining techniques, including a novel technique called AnomalyShield which prioritizes machines with anomalous neighbors and high eigencentrality.
Figure 2. D²M framework: 1. Builds an authentication graph from device authentication history; 2. Allows security analysts to test different attack strategies to study network vulnerability; and 3. Identifies at-risk machines to monitor, preempting lateral attacks.

Integrating Domain Knowledge

In order to model lateral attacks, we must first convert authentication history of network devices into an authentication graph, where directed edges represent machine-machine authentications (i.e., logons) in an organization. To enhance the graph model with realistic security and attack practices, we integrate the following three components into our framework:

Modeling Lateral Attacks

An enterprise attack typically follows a kill chain, which can be distilled into three phases — (1) penetration of the network; (2) exploration of the network and escalation of privileges; and (3) exfiltration of data back to the command and control server. We model each of these three phases as follows:

  1. Network Penetration typically happens through phishing campaigns targeting organization employees or incidental exposure from employees downloading malware on high-risk websites. We model this penetration process by assuming that most compromised employees (machines)have the lowest credential level (“user”) and let the attacker randomly start on any of these machines.
  2. Exploration & Exploitation. Once an attacker is on a network, their goal is to explore the network and escalate privileges. This process begins by stealing the infected machines cached credentials, allowing them to authenticate with neighboring machines, and continues until they obtain domain admin privileges. This attack process is modeled in two ways — (1) black-box, where the attacker has no prior information on the network (i.e., normal pattern of authentications); and (2) gray-box, where the attacker has prior information on the network layout, possibly through prior reconnaissance or inside help.
  3. Exfiltration of Data. After the adversary has obtained a domain admin credential, they’re able to connect to any networked machine, freely exploring the network until they reach the domain controller. Upon accessing the domain controller, the attacker gains full control over the network. At this point the adversary can sweep the network for valuable information and exfiltrate with impunity. We leave modeling this aspect of the kill chain to future work.

Quantifying Network Vulnerability to Lateral Attack

To make data driven decisions regarding IT policy in an enterprise network, it is important to quantify the risk a network faces to lateral movement. Unfortunately, directly measuring this risk is difficult, requiring complex interactions of many unknown variables. To simplify these interactions, we propose to quantify network vulnerability to lateral attack (L) as a function of three random variables — (1) network topology (G),
(2) distribution of access credentials (d), and (3) initial point of penetration in the network (v).

Equation 1. Vulnerability score L(G) is a real number between 0 and 1, where a higher value indicates a more vulnerable network for a given network topology G.

Want to read more?

For all of the nitty-gritty details of D²M we released our paper on arXiv.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Scott Freitas

Scott Freitas

PhD student @ Georgia Tech. I work at the intersection of applied and theoretical machine learning.