Lateral movement detection

Because indications of a cyber attack are not limited to traffic originating from external hosts, security teams require tools that can monitor internal network activity for potential threats, such as lateral movement.

Plixer One Enterprise employs multiple detection techniques to alert to behavior that may indicate lateral movement through their network by malicious actors.

Overview

Through Plixer Scrutinizer, Plixer One Enterprise combines deep network observability with multiple approaches to lateral movement detection to deliver meaningful alerts that enhance both proactive and reactive workflows.

As it continuously monitors and collects flow data from its environment, Plixer Scrutinizer uses the Alarm Monitor view to alert users to activity that matches potentially problematic or malicious patterns, including those assocated with lateral movement techniques. The Alarm Monitor, Network Maps and Dashboards views allow users to pivot to Reports and launch deeper investigations into typical indicators of lateral movement.

Hint

The Monitor > Alarm Monitor > ATT&CK tab classifies Alarms using the MITRE ATT&CK framework and can be used to quickly filter for alerts related to lateral movement.

The following Alarm Policies are used to provide alerts specifically for potential lateral movement and based on different detection approaches/criteria:

Lateral Movement

Lateral Movement Alarms are Flow Analytics detections that are triggered by traffic/activity that is indicative of techniques used to exploit remote services. Events under this Alarm Policy report the following details for the detection:

  • Exporters/devices

  • Violating hosts

  • Target hosts

Lateral Movement Attempt

Lateral Movement Attempt Alarms are Flow Analytics detections that are triggered by traffic/activity that is indicative of a worm attack on a specific port on a target host. Events under this Alarm Policy report the following details for the detection:

  • Type of worm

  • Destination/target port

  • Violating hosts

  • Target hosts

Lateral Movement Behavior

Lateral Movement Behavior Alarms are machine learning detections that are triggered when the behavior of a monitored host deviates from baseline activity patterns in a way that is indicative of lateral movement. Events under this Alarm Policy report hosts that are communicating with an unusually large number of machines (based on behavior learned by the Plixer ML Engine) as violators.

Hint

The threshold at which irregular traffic/behavior associated with a host is reported as a detection can be adjusted by changing the sensitivity for the ML Inclusion it belongs to.

Workflows

The following workflows show how lateral movement detections in Plixer Scrutinizer can be used to investigate and respond to potential threats: