A Graph-Based Impact Metric for Mitigating Lateral Movement Cyber Attacks

Most cyber network attacks begin with an adversary gaining a foothold within the network and proceed with lateral movement until a desired goal is achieved. The mechanism by which lateral movement occurs varies but the basic signature of hopping between hosts by exploiting vulnerabilities is the same. Because of the nature of the vulnerabilities typically exploited, lateral movement is very difficult to detect and defend against. In this paper we define a dynamic reachability graph model of the network to discover possible paths that an adversary could take using different vulnerabilities, and how those paths evolve over time. We use this reachability graph to develop dynamic machine-level and network-level impact scores. Lateral movement mitigation strategies which make use of our impact scores are also discussed, and we detail an example using a freely available data set.

[1]  Alex Kent Anonymized User-Computer Authentication Associations in Time , 2014 .

[2]  J. Baylis Error-correcting Codes , 2014 .

[3]  Robbie Allen,et al.  Active Directory: Designing, Deploying, and Running Active Directory , 2008 .

[4]  Dobromir Todorov,et al.  Mechanics of User Identification and Authentication , 2007 .

[5]  Jason Garman Kerberos: The Definitive Guide , 2003 .

[6]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[7]  Gary Chartrand,et al.  Graphs & Digraphs, Fifth Edition , 2010 .

[8]  John Dunagan,et al.  Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs , 2009, SOSP '09.

[9]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[10]  Alexander D. Kent,et al.  Connected Components and Credential Hopping in Authentication Graphs , 2014, 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems.

[11]  Emilie Hogan,et al.  A graph analytic metric for mitigating advanced persistent threat , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.