Lateral movement detection#
Because indications of a cyber attack are not limited to traffic originating from external hosts, security teams require tools that can monitor internal network activity for potential threats, such as lateral movement.
Plixer One Enterprise employs multiple detection techniques to alert to behavior that may indicate lateral movement through their network by malicious actors.
Overview#
Through Scrutinizer, Plixer One Enterprise combines deep network observability with multiple approaches to lateral movement detection to deliver meaningful alerts that enhance both proactive and reactive workflows.
As it continuously monitors and collects flow data from its environment, Scrutinizer uses the Alarm Monitor view to alert users to activity that matches potentially problematic or malicious patterns, including those associated with lateral movement techniques. The Alarm Monitor, Network Maps and Dashboards views allow users to pivot to reports and launch deeper investigations into typical indicators of lateral movement.
Hint
The Monitor > Alarm Monitor > ATT&CK tab classifies alarms using the MITRE ATT&CK framework and can be used to quickly filter for alerts related to lateral movement.
The following alarm policies are used to provide alerts specifically for potential lateral movement and based on different detection approaches/criteria:
Lateral Movement#
Lateral Movement alarms are flow analytics detections that are triggered by traffic/activity that is indicative of techniques used to exploit remote services. Events under this alarm policy report the following details for the detection:
Exporters/devices
Violating hosts
Target hosts
Lateral Movement Attempt#
Lateral Movement Attempt alarms are flow analytics detections that are triggered by traffic/activity that is indicative of a worm attack on a specific port on a target host. Events under this alarm policy report the following details for the detection:
Type of worm
Destination/target port
Violating hosts
Target hosts
Lateral Movement Behavior#
Lateral Movement Behavior alarms are machine learning detections that are triggered when the behavior of a monitored host deviates from baseline activity patterns in a way that is indicative of lateral movement. Events under this alarm policy report hosts that are communicating with an unusually large number of machines (based on behavior learned by the ML Engine) as violators.
Note
The threshold at which irregular traffic/behavior associated with a host is reported as a detection can be adjusted by changing the sensitivity for the ML inclusion/source it belongs to.
Because the Lateral Movement FA algorithm references existing lateral movement attempts for its detections, its scope can be customized by specifying traffic coverage (external to internal, internal to external, or internal to internal) for the Lateral Movement Attempt algorithm. E.g., if internal-to-internal traffic is disabled for the Lateral Movement Attempt algorithm, there will be no detections for internal-to-internal traffic under the Lateral Movement algorithm.
Workflows#
The following workflows show how lateral movement detections in Scrutinizer can be used to investigate and respond to potential threats:
Investigating lateral movement alerts
Scrutinizer uses multiple lateral movement detection techniques, each of which corresponds to a separate alarm policy. This provides security teams with additional context on which to base their response strategies.
Workflow
After receiving a lateral movement alert either in Scrutinizer itself or via external SIEM, investigate the event:
Navigate to Monitor > Alarm Monitor in the web interface and search for Lateral Movement (FA), Lateral Movement Attempt (FA), or Lateral Movement Behavior (ML) violations.
Click on an alarm policy to open the summary view and review the activity timeline and hosts involved.
Drill into an event artifact to view a summary of details for a violation associated with a specific host.
To further investigate the activity of the host, click on the icon next to its IP address or hostname, and select an automatically filtered report to run.
Hint
For additional context and/or details related to how and why the host was compromised, review all alarms leading up to the lateral movement violation.
Uncovering data exfiltration
While proactively reviewing outbound traffic, the security team discovers activity that indicates a potential attempt to exfiltrate data.
Workflow
After discovering unusually high outbound utilization in the Explore > Exporters > By Interface view, run a report to redefine the scope of traffic that needs to be reviewed (e.g., Destination Countries with AS):
Run a new report for the exporters/devices exhibiting suspicious behavior, and select Countries with AS (under the Destination Reports category) as the report type. This will output a list of autonomous systems, along with the countries each one is associated with.
Note
Class A, B, and C addresses are always classified as Uncategorized and will often include internal network addresses. In this scenario, these are likely associated with responses to internal destinations through outbound interfaces.
Limit the scope of the report by dragging rows associated with expected traffic to the Exclude drop zone to the left and clicking Apply in the Filters tray.
After the report has been re-run with the additional exclusions, review the list for traffic bound for unusual destinations.
Once a more manageable subset of data (e.g., countries your organization does not transact with) has been achieved, refine the report to gain more insight:
“Zoom out” to look for activity patterns by changing the time frame covered by the report.
Inspect activity associated with the host, country, or autonomous system by clicking on it and pivoting to a different report type from the tray.
Leverage additional tools (under the Other Options category in the tray) to obtain additional information.
For further investigation, continue to modify the settings of the report to gain visibility into hosts, traffic, etc. that remain suspicious.