Lateral Movement Detection in Cyber Defense

In a world where the question is not “When will the organization be hacked?” but “When will I know my organization has been hacked?”, lateral movement detection solutions are increasing

Illustraion: Bigstock

If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked” – White house Cybersecurity Advisor, Richard Clarke. February 20th 2002.

A lot of coffee (and money) had spilled since the Bush administration. Nowadays, Cyber Security investments are considered to play a major role in the organization’s budget – more enterprises perceive Cyber Security as the number one threat to their operation, spending excessive amount of resources to secure their premises. Ironically, the past decade consist of troublesome increase in the amount of successful data breaches by national entities, cyber criminals and teen geniuses; causing companies millions of dollars in losses annually.

How deep the Rabbit Hole is?

In order to have a better understanding of the cyber threats, we should first ask ourselves “Who exactly moves inside my network?” The answer, unfortunately, is everything and everyone. Manual hackers, teenagers, students, organized Cyber-crime groups (such as APT28 from Russia), well trained and funded governmental entities (Such as Bureau 121 from North Korea), and even terror organizations such as ISIS. Not to mention automatic tools like APTs, Malwares, Viruses, etc.

We keep pushing the borders; integrate networks with every part of our life – cars, air-conditioners, home/office cameras. Potentially granting access for someone else to take control. What will happen if a malicious code, controlling a vehicle’s acceleration speed, will start infecting other cars via Bluetooth/Wi-Fi connection?

More and more CISOs become aware that no perimeter is Cyber-proof. As you read these lines, hackers, ATPs, malwares and various automatic tools are moving inside countless organizations. The question should not be “Will they breach?”, but rather “Which method would allow me to detect a malicious movement, as soon as it occurs within my environment?”

In recent years, the common belief was a method of “Anomaly Detection” – the identification of items, events, or observations, which do not confirm to an expected pattern or other items in a dataset.

In different words, Anomaly Detection say “Let’s define every possible thing on the enterprise, and if at some point of time it behaves differently than the pre-set attribute, a flag is raised.” The problem with this method is that we live in a highly dynamic world, containing constant changes. One day I am working from a 40-store building in Singapore, wearing a business suite, tomorrow I might be working in the middle of the night from a Hotel room in Florida wearing flip-flops.

The amount of False-Positives generates by this method (even after correlation by SIEM) is huge. SOC teams simply do not have the time and resources to handle such excessive amount of data, keeping the real threat untreated. 

Many companies try to define what is normal, so if something else happens – we can detect it. But today’s working environment is very dynamic and sporadic. People move, come, go, change. The amount of false alerts is enormous, blinding us from the real threats out there.

Thanks to global information share and “tools for the people”, an inadequate hacker can easily penetrate the organization’s perimeter quite easily. There is an asymmetric war, where one individual, with a straightforward computer and Internet connection, can espionage, steal, or sabotage, multi million dollars enterprises, causing money loss, exfiltration, and customer’s trust issues, leading to revenues loses. Once he/she is inside, the hacker will start to move throughout the organization an average of 300 days before being detected. Let’s say our hacker will decide to leave after 100 days, no one will ever know he/she was there.

The current detection rate is unacceptable; still, those are the numbers. A better, more rapid method is needed to keep the organization’s IP, assets and sensitive data, private. 

Everything Moves 

Conventional information security architecture consist of various tools, at the enterprise’s perimeter, keeping intruders out. However, when a hacker success to gather access inside or an internal attacker starts executing an attack, it becomes much more difficult to spot him. Instead, we should embrace the hacker inside of us, accept the fact that he is out there, and wait for his move. Everything moves. It does not matter if it is a manual hacker, APT, malware, virus, or something new. Everything moves.

There is a saying, that prophecy was given to the fools. No one can really say what kind of evolution would take action in the world of the hackers and their offensive tools. But I can tell you this – No matter what kind of tool/ability/exploit attackers will create, it always moves. Based on that determination, we can understand where to establish our enterprise’s defense line.

A working method which could adapt to modern challenges, will be one that do not characterized and put into patterns every user, document or time frame. A working method for Lateral Movement detection would combine a clever, extra fast “mastermind” to distinguish harmful movements, while the organization’s daily load is unharmed. In addition, this system should not call for extra resources like huge storage systems, for a clean, efficient functionality.  Another major attribute is to minimize unnecessary time-consuming false alarms, so that the Incident Response team would deal with the important work, and receive only true alerts, which they can deal with immediately.

Knowing is half the battle. The impact of APT campaigns to an organization or business includes data or intellectual property theft and damage to business reputation. Once a hacker gains access to the Secretary’s computer, it is only “a bus stop” before the executive’s computers, servers, and up to the Vault with the crown jewels. Every shift from asset to asset is considered to be “Lateral Movement”. 

The concept behind Lateral Movement says that catching the “bad guys” before they breach the perimeter is pointless. For conventional attackers, who are the crucial percentage that really causes the damage, we will use a Lateral Movement Detection system that can find the malicious movement, within an acceptable amount of time.

In its recent article, Mcafee claims “Ransomware will remain a major and rapidly growing threat in 2016.” “End-point” malwares such as Ransomeware (which “hijacks” your terminal by encrypting your data) moves in order to infect other assets in the organizations. When the ransomeware starts to infect the other machines in the environment, the infection would cause Lateral Movement, which can be foreseen using the proper tools.  

Ransomeware is just a pinch of the threats the can be detected using Lateral Movement Detection methods. Think about 0-day attacks. You cannot enforce them, as they are not found. But even the most sophisticated hacking tool which will be created 25 years from now, will use the same physiological attribute needed – Movement.

As more and more security leaders like Kaspersky and Trend-Micro become aware of the need for Lateral Movement solutions, organizations should examine their Cyber defense strategies for the new opportunities Lateral Movement Detection can offer. 


Alon Golan is the Co-Founder and Chief Product Officer at Fenror7

You might be interested also