The fast evolving nature and the growing complexity of modern offensive techniques used in Advanced Persistent Threats attacks calls for innovative approaches to defense techniques. Common network monitoring solutions fail in case of attacks able to remain silent and quietly control the network for long periods of time. Indeed, such type of attacks requires the deployment of security functionality able to recognize the so called lateral movements, exploited by the attackers to spread the infection inside the network. The implementation of a distributed monitoring infrastructure exploiting innovative detection approaches allows to overcome the lack of a single monitoring point and successfully detect complex behavior of lateral movements. In this paper we demonstrate how to effectively use eXtended Finite State Machine patterns to face a set of commonly used lateral movement techniques, including IP spoofing ones.
[1]
Michele Colajanni,et al.
Analysis of high volumes of network traffic for Advanced Persistent Threat detection
,
2016,
Comput. Networks.
[2]
Salvatore Pontarelli,et al.
StreaMon: A software-defined monitoring platform
,
2014,
2014 26th International Teletraffic Congress (ITC).
[3]
Dirk Scheuermann,et al.
Preventing Pass-the-Hash and Similar Impersonation Attacks in Enterprise Infrastructures
,
2016,
2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA).
[4]
Giuseppe Bianchi,et al.
D-STREAMON - a NFV-capable distributed framework for network monitoring
,
2016,
ArXiv.