Lateral movement is a crucial part of the security detection lifecycle and requires a comprehensive view of the patterns of communications between hosts within a computer network. However, it is also one of the most difficult detection challenges in security analytics. Most skilled adversaries no longer use noisy methods when they are attempting to compromise new hosts within a network; instead they will launch targeted “low-and-slow” attacks against hosts and user accounts to avoid detection by volume-based detection methods. Additionally, because of the scale of data generated by enterprise security information and event management systems, it’s impractical to investigate all the security logs collected to find specific logs that indicate lateral movement. However, lateral movement does leave traces in the aggregated security data that can be extracted and used to generate security analytics models.
Attempted lateral movement shows up in security data as a series of logs that connect disparate clusters of hosts that have previously never interacted before. By transforming the security data into a graph-based format, these connections become visibly obvious and significantly impact various graph metrics of individual nodes. By generating these graph metrics over time, you can then build detection models that monitor every individual node and alert when attempted lateral movement is occurring.
Louis DiValentin and Dillon Cullinan explain how Accenture’s Cyber Security Lab built security analytics models to detect attempted lateral movement in networks by transforming enterprise-scale security data into a graph format, generating graph analytics for individual users, and building time series detection models that visualize the changing graph metrics for security operators so they can easily detect when specific nodes are becoming more important to the network graph. They also discuss how they used ASGARD, Accenture’s Hadoop, Spark, and GraphX stack, to scale these analytics to an enterprise-scale dataset.
Louis DiValentin is a security data scientist at Accenture Cyber Labs, located in the Washington, DC, area. His research focuses on security analytics modeling, graph analytics, and big data.
Dillon Cullinan is a data engineering cybersecurity specialist at Accenture Cyber Labs, located in the Washington, DC, area. Dillon focuses on building big data solutions for the cybersecurity realm to enable large-scale analytics and visualizations.
©2019, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org