Hopper: Modeling and Detecting Lateral Movement (Extended Report)

In successful enterprise attacks, adversaries often need to gain access to additional machines beyond their initial point of compromise, a set of internal movements known as lateral movement. We present Hopper, a system for detecting lateral movement based on commonly available enterprise logs. Hopper constructs a graph of login activity among internal machines and then identifies suspicious sequences of logins that correspond to lateral movement. To understand the larger context of each login, Hopper employs an inference algorithm to identify the broader path(s) of movement that each login belongs to and the causal user responsible for performing a path’s logins. Hopper then leverages this path inference algorithm, in conjunction with a set of detection rules and a new anomaly scoring algorithm, to surface the login paths most likely to reflect lateral movement. On a 15-month enterprise dataset consisting of over 780 million internal logins, Hopper achieves a 94.5% detection rate across over 300 realistic attack scenarios, including one red team attack, while generating an average of < 9 alerts per day. In contrast, to detect the same number of attacks, prior state-of-the-art systems would need to generate nearly 8× as many false positives.

[1]  Bram Klievink,et al.  A different cup of TI? The added value of commercial threat intelligence , 2020, USENIX Security Symposium.

[2]  Chaomei Lo,et al.  A Graph-Based Impact Metric for Mitigating Lateral Movement Cyber Attacks , 2016, SafeConfig@CCS.

[3]  Alexander D. Kent,et al.  Connected Components and Credential Hopping in Authentication Graphs , 2014, 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems.

[4]  Md Nahid Hossain,et al.  Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[5]  Duen Horng Chau,et al.  D2M: Dynamic Defense and Modeling of Adversarial Movement in Networks , 2020, SDM.

[6]  R. Sekar,et al.  Dependence-Preserving Data Compaction for Scalable Forensic Analysis , 2018, USENIX Security Symposium.

[7]  David M. Eyers,et al.  Practical whole-system provenance capture , 2017, SoCC.

[8]  David A. Wagner,et al.  Detecting Credential Spearphishing in Enterprise Settings , 2017, USENIX Security Symposium.

[9]  Mohammad A. Noureddine,et al.  OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis , 2020, NDSS.

[10]  Lorie M. Liebrock,et al.  Authentication graphs: Analyzing user behavior within an enterprise network , 2015, Comput. Secur..

[11]  Steffen Haas,et al.  Towards Efficient Reconstruction of Attacker Lateral Movement , 2019, ARES.

[12]  William H. Sanders,et al.  An Unsupervised Multi-Detector Approach for Identifying Malicious Lateral Movement , 2017, 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS).

[13]  H. Howie Huang,et al.  Detecting Lateral Movement in Enterprise Computer Networks with Unsupervised Graph AI , 2020, RAID.

[14]  Yu Wen,et al.  Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise , 2019, CCS.

[15]  Jack W. Stokes,et al.  Latte: Large-Scale Lateral Movement Detection , 2018, MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM).

[16]  V. N. Venkatakrishnan,et al.  HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[17]  John Dunagan,et al.  Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs , 2009, SOSP '09.

[18]  Daniel Marino,et al.  Tactical Provenance Analysis for Endpoint Detection and Response Systems , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[19]  Hamza Saleem,et al.  SoK: Anatomy of Data Breaches , 2020, Proc. Priv. Enhancing Technol..

[20]  Nasir D. Memon,et al.  Detecting Structurally Anomalous Logins Within Enterprise Networks , 2017, CCS.