Detecting Lateral Movement in Windows Environments
One of the anomaly detection algorithms deployed in CyberSift is the ability to detect abnormal login patterns which could indicate lateral movement. Referring to the new D3FEND MITRE framework, this defense would fall under:
During lateral movement scenarios, an attacker would already have gained a foothold within the perimeter of your infrastructure, and is using valid credentials to try and login to various resources in the domain.
So the idea is to monitor and baseline normal login behavior. For example, in a particular environment, over the course of a day any given user would login to two different PCs or services on average. If during monitoring that average exceeds a pre-determined threshold than an alert is generated since this is exactly the kind of indicator that the previously described lateral movement would generate
Assuming the correct setup of windows event log ingestion is done, then conceptually the algorithm is simple:
- CyberSift monitors the number of login events (e.g. event ID 4624),
- The events are aggregated by:
- The source user making the login requests
- The destination computer name
- Along the way, some analyst context is added to the login events such as more user friendly hints as to what the login activity actually is (for example — converting the “LoginType” from a number to text . e.g. Logon Type: “2” becomes “Interactive” and so on)
- A baseline of login activity is taken every hour — we simply count “how many logins”?
- CyberSift automatically define a threshold, using both statistical methods (e.g. using percentiles, z-score) and in some cases deep learning methods like time series prediction
- With every new login event, CyberSift notes the user and target resource, and increments the current number of logins counter. If this counter exceeds the threshold, then an alert is generated.
The above alerts are then cross-referenced with other checks such as the High Privileged User monitoring we wrote about earlier, and alert criticality is increased if more than one check is triggered
