Hopper: Modeling and Detecting Lateral Movement (Extended Report)

05/27/2021
by   Grant Ho, et al.
0

In successful enterprise attacks, adversaries often need to gain access to additional machines beyond their initial point of compromise, a set of internal movements known as lateral movement. We present Hopper, a system for detecting lateral movement based on commonly available enterprise logs. Hopper constructs a graph of login activity among internal machines and then identifies suspicious sequences of loginsthat correspond to lateral movement. To understand the larger context of each login, Hopper employs an inference algorithm to identify the broader path(s) of movement that each login belongs to and the causal user responsible for performing a path's logins. Hopper then leverages this path inference algorithm, in conjunction with a set of detection rules and a new anomaly scoring algorithm, to surface the login paths most likely to reflect lateral movement. On a 15-month enterprise dataset consisting of over 780 million internal logins, Hop-per achieves a 94.5 across over 300 realistic attack scenarios, including one red team attack, while generating an average of <9 alerts per day. In contrast, to detect the same number of attacks, prior state-of-the-art systems would need to generate nearly 8x as many false positives.

READ FULL TEXT

Authors

page 1

page 2

page 3

page 4

05/03/2019

Enterprise Cyber Resiliency Against Lateral Movement: A Graph Theoretic Approach

Lateral movement attacks are a serious threat to enterprise security. In...
09/19/2019

Detecting malicious logins as graph anomalies

Authenticated lateral movement via compromised accounts is a common adve...
10/02/2019

Detecting and Characterizing Lateral Phishing at Scale

We present the first large-scale characterization of lateral phishing at...
06/10/2020

Affective Movement Generation using Laban Effort and Shape and Hidden Markov Models

Body movements are an important communication medium through which affec...
01/06/2018

SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data

We present an approach and system for real-time reconstruction of attack...
03/26/2021

Multi-Stage Attack Detection via Kill Chain State Machines

Today, human security analysts collapse under the sheer volume of alerts...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.