Identifying Lateral Spread via Behavioral Analytics on Network Flows

16 Mar

Identifying Lateral Spread via Behavioral Analytics on Network Flows

in Blog, Perspectives, Technology

by Nikfar Khaleeli

In advanced attacks, lateral spread (also known as lateral movement or east-west movement) is when cybercriminals try to increase their footprint within the organization by compromising other computers, servers, and infrastructure components. There could be multiple goals for this stage – e.g., gathering information via regular accounts for exfiltration or getting login credentials that provide access to more valuable information.

Detecting lateral spread is very difficult. When moving laterally, attackers masquerade as authorized users and access systems that the user is already allowed to use. These actions are indistinguishable from normal activity seen on a corporate network. And if there is no data exfiltration, then there is one less way to detect this attack stage.

Behavioral analytics are one of the best methods to detect the anomalies that indicate lateral movement. For example, if the domain admin’s account has been compromised then analyzing that admin’s access activity to a high-value server (e.g., volume of data downloaded, frequency of access, the time of access, execution of commands not previously seen) could be used to identify anomalous behavior.

Diversity in data sources (i.e., packets, network flows, logs, files, alerts and threat feeds) is what’s needed for comprehensive visibility into advanced attacks. However under some constraints, one data source is a more appropriate choice for helping analysts zero in on a particular attack stage. For identifying lateral spread, network flows are that data source in my opinion, providing a balance between richness of information against ease of access.

Log data (e.g., Active Directory logs) can help but the insights provided are limited. Packets, a much richer source of information, can be used in analytics for more in-depth insight. However it’s not always possible to get this packet information – e.g., operational and financial limitations could prevent the deployment of technology needed for full packet capture.

Network flows provide IP level information based on the traffic that’s gone through a network interface. The information (e.g., source and destination IPs, source and destination ports, packet and byte count, etc.) is much more in-depth than what’s available in logs, so analytics on network flows provide richer results. The major switch and router vendors support some network flow variant (e.g., Cisco’s NetFlow, Juniper Network’s Jflow, etc.), so collecting this information doesn’t require deployment of specialized technology – it just needs to be enabled for the interfaces.

Don’t misunderstand me. I’m not suggesting that one data source is better than others. I firmly believe that data diversity is what’s needed for behavioral analytics to provide comprehensive visibility. However the ease of access to different data sources varies by organization and so you must weigh available data against the fidelity requirement for your analytics. Which is why any behavioral analytics solution you are considering must be able to use diverse data sources (i.e., packets, network flows, logs, files, alerts and threat feeds) and provide you with the ability to chose what combination of sources (one or more) to use in analytics.

Tags: Blog, Perspectives, Technology