Lateral movement detection

Because indications of a cyber attack are not limited to traffic originating from external hosts, security teams require tools that can monitor internal network activity for potential threats, such as lateral movement.

Plixer One Enterprise employs multiple detection techniques to alert to behavior that may indicate lateral movement through their network by malicious actors.

Overview

Through Plixer Scrutinizer, Plixer One Enterprise combines deep network observability with multiple approaches to lateral movement detection to deliver meaningful alerts that enhance both proactive and reactive workflows.

As it continuously monitors and collects flow data from its environment, Plixer Scrutinizer uses the Alarm Monitor view to alert users to activity that matches potentially problematic or malicious patterns, including those associated with lateral movement techniques. The Alarm Monitor, Network Maps and Dashboards views allow users to pivot to reports and launch deeper investigations into typical indicators of lateral movement.

Hint

The Monitor > Alarm Monitor > ATT&CK tab classifies alarms using the MITRE ATT&CK framework and can be used to quickly filter for alerts related to lateral movement.

The following alarm policies are used to provide alerts specifically for potential lateral movement and based on different detection approaches/criteria:

Lateral Movement

Lateral Movement alarms are flow analytics detections that are triggered by traffic/activity that is indicative of techniques used to exploit remote services. Events under this alarm policy report the following details for the detection:

• Exporters/devices

• Violating hosts

• Target hosts

Lateral Movement Attempt

Lateral Movement Attempt alarms are flow analytics detections that are triggered by traffic/activity that is indicative of a worm attack on a specific port on a target host. Events under this alarm policy report the following details for the detection:

• Type of worm

• Destination/target port

• Violating hosts

• Target hosts

Lateral Movement Behavior

Lateral Movement Behavior alarms are machine learning detections that are triggered when the behavior of a monitored host deviates from baseline activity patterns in a way that is indicative of lateral movement. Events under this alarm policy report hosts that are communicating with an unusually large number of machines (based on behavior learned by the Plixer ML Engine) as violators.

Note

• The threshold at which irregular traffic/behavior associated with a host is reported as a detection can be adjusted by changing the sensitivity for the ML inclusion/source it belongs to.

• Because the Lateral Movement FA algorithm references existing lateral movement attempts for its detections, its scope can be customized by specifying traffic coverage (external to internal, internal to external, or internal to internal) for the Lateral Movement Attempt algorithm. E.g., if internal-to-internal traffic is disabled for the Lateral Movement Attempt algorithm, there will be no detections for internal-to-internal traffic under the Lateral Movement algorithm.

Workflows

The following workflows show how lateral movement detections in Plixer Scrutinizer can be used to investigate and respond to potential threats:

• Investigating lateral movement alerts
• Uncovering data exfiltration