strata 2015 presentation -- detecting lateral movement
TRANSCRIPT
![Page 1: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/1.jpg)
![Page 2: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/2.jpg)
![Page 3: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/3.jpg)
![Page 4: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/4.jpg)
![Page 5: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/5.jpg)
![Page 6: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/6.jpg)
![Page 7: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/7.jpg)
Problems
sensors/detections
Ranking
![Page 8: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/8.jpg)
![Page 9: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/9.jpg)
What is Lateral Movement?
Source: Pass-the-Hash Mitigation
![Page 10: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/10.jpg)
Why is this Important?
![Page 11: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/11.jpg)
Why is this difficult?
![Page 12: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/12.jpg)
Problem # 1 - Independent Alert Streams
![Page 13: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/13.jpg)
Problem #2: Burden of triageAttacks are
complex. Need
more
detections!
So, Now I
have to
triage all of
them?
![Page 14: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/14.jpg)
Problem #3: Feedback not captured
![Page 15: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/15.jpg)
Problem 4: Interpretability of alerts
![Page 16: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/16.jpg)
![Page 17: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/17.jpg)
Windows Security Events Data
On average, an online service in O365 produces 30 billion
sessions/day; 82 TB/day
Data: Sequences of Windows security event IDs from user
sessions
• Examples: User logs into machine, process start, credential
switch, etc.
• 367 unique security event IDs
![Page 18: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/18.jpg)
- We built separate models to detect our goal of compromised account/machines
- The models, independently assess if the account is acting suspiciously
![Page 19: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/19.jpg)
probability of logging
sequences of events
credential elevation
auto-generated
![Page 20: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/20.jpg)
.𝑃1 𝑃2 𝑃𝑑
𝑃1(𝑥)
…𝑃2(𝑥) 𝑃𝑑(𝑥)
. .
𝑥Session
𝑤1 𝑤2 𝑤𝑑
Combined Score
![Page 21: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/21.jpg)
![Page 22: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/22.jpg)
Burges, Chris, et al. "Learning to rank using
gradient descent.” 2005.
![Page 23: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/23.jpg)
𝑃1 𝑃2 𝑃𝑑
𝑃1(𝑚) …𝑃2(𝑚) 𝑃𝑑(𝑚)
m
𝑃1 𝑃2 𝑃𝑑
𝑃1(𝑏) …𝑃2(𝑏) 𝑃𝑑(𝑏)
bPm>b
…𝑤1 𝑤2 𝑤𝑑
![Page 24: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/24.jpg)
Putting it together
.𝑃1 𝑃2 𝑃𝑑
−𝑙𝑜𝑔𝑃1(𝑥)
…−𝑙𝑜𝑔𝑃2(𝑥) −𝑙𝑜𝑔𝑃𝑑(𝑥)
. .
𝑥Session
𝑤1 𝑤2 𝑤𝑑
Rank Score = 𝑤𝑇𝑃
![Page 25: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/25.jpg)
Testing the system• Wargame with the red team
• Blind experiment
• 8 out of 12 top-ranked sessions on day
1 among ~28 billion sessions are pen
testers, precision at 12 is 96%
![Page 26: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/26.jpg)
…𝑤′1 𝑤′2 𝑤′𝑑
![Page 27: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/27.jpg)
Alert Score Weights
Higher Weight, more
contributing factor to alert
Tells the user, what is
probable cause of the alert
![Page 28: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/28.jpg)
extensible
![Page 29: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/29.jpg)
![Page 30: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/30.jpg)
Reality Constantly changing environment…
….but you can account for it during training and adding metadata
In the beginning, there will be false positives… ….but you will reduce your attack surface
No labelled data…
….but you can get away with a good red team
![Page 31: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/31.jpg)
![Page 32: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/32.jpg)
Takeaways
Combine alert streams
Make your alerts interpretable
Capture feedback and close the last mile
Check out ranking algorithms – they are powerful!
![Page 33: Strata 2015 Presentation -- Detecting Lateral Movement](https://reader031.vdocuments.mx/reader031/viewer/2022013115/55aaadb11a28ab5f7a8b46b3/html5/thumbnails/33.jpg)