One can easily see that most of these intrusions involve a limited number of hosts (the most common number of hosts is less than 20).Īs a second step, we want to understand how many hosts are involved in lateral movement activity, that is, how many hosts in an intrusion are the source or destination of a lateral movement event. We want to understand what the size of intrusion blueprints is in terms of the number of hosts, for intrusions that contain lateral movement events.įigure 2 : Distribution of the number of hosts across intrusions that contain a lateral movement event.įigure 2 shows the distribution of the number of hosts for intrusions that contain some form of lateral movement. We first look at the shape of the lateral movement activity. The dataset contains 489 intrusions 219 (44.7%) of which contain a lateral movement event. We selected a VMware Contexa dataset that spans 30 days, starting from April 1 st, 2022, and whose intrusions involve at least five hosts.įigure 1 shows an example of one of the intrusions included in this dataset.įigure 1 : An example of an intrusion as shown in the NSX Advance Threat Protection console (local IP addresses have been anonymized). Our analysis begins from the concept of an intrusion, which in VMware’s NSX Advance Threat Protection solution is a set of alerts generated on a victim’s network that are correlated together. Understanding Intrusions and Lateral Movement ![]() Nonetheless, there are interesting insights that can be gained to support a better security posture for complex networks and a higher chance to detect and block an intrusion before it becomes a full breach. However, a caveat is necessary: while the attacks and statistics described here are based on real-world data, they are also partial and do not represent every possible scenario for every possible network. In this report, we present some data about lateral movement that is based on the telemetry that was collected from NSX customers. In practice, most of the lateral movement techniques involve the use of RATs ( e.g., the notorious Cobalt Strike ) or the use of existing services, such as the Remote Desktop Protocol (RDP) or PsExec. If we look at the techniques listed by the MITRE framework in association with the tactical goal of lateral movement, we see mentioned the use and exploitation of remote services, internal spearphishing, lateral tool transfer, session hijacking, the use of removable media and shared content, and software deployment tools, among others. Lateral movement is also often overlooked because most security tools focus on the perimeter of the network, and they seldom look at the interactions among internal hosts, and, as a result, these tools might miss important aspects of a multi-step attack. Understanding lateral movement is essential because it describes the actions that attackers take to expand their foothold on the target network, which is often essential to the success of an attack, as the first compromised host is rarely the final target of a breach. However, one of the most essential (and often overlooked ) aspects of multi-step attacks is lateral movement. While there are few cases that rigidly follow a process that touches on these tactics in a linear manner, most attacks have only a few of these steps and often have sub-patterns that reflect the repetitive nature of the exploitation process. ![]() This process has been in part codified in the MITRE ATT&CK framework in which the kill-chain of an attack is described as a series of tactical achievements, namely reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact. Since attacks have the inherent goal of achieving progressively higher access to resources, they often follow a common process in which an initial compromised endpoint is used as a bridgehead to access additional parts of the target’s infrastructure. Similarly, the tactics, techniques, and procedures (TTPs) adopted by powerful adversaries often backed by nation-states have evolved, creating challenges for security administrators and SOC analysts, who must make sense of the flood of data and alerts produced by security tools. Computer networks have become larger, more complex, and highly dynamic.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |