![Page 1: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/1.jpg)
Lateral Movement Detection Using Distributed Data Fusion
Atul BoharaPI: William H. Sanders
ACC Seminar, Sep. 28, 2016
Citation: Lateral Movement Detection Using Distributed Data Fusion. Ahmed Fawaz, Atul Bohara, Carmen Cheh, William H. Sanders. In Proceedings of 35th Symposium on Reliable Distributed Systems (SRDS 2016).
Slide Credits: some slides are taken from the presentation made at SRDS 2016 by Ahmed Fawaz
![Page 2: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/2.jpg)
Introduction
Intrusion resilience• Monitor the operation of system• Detect intrusions• Take response actions
Volume of information that is required to construct a system-wide state can grow rapidly
Long-lasting targeted attacks pose more scalability challenges
![Page 3: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/3.jpg)
Contributions
• A distributed data fusion framework for system resiliency.
• An agent-based monitoring and fusion mechanisms to detect lateral movement behavior in an enterprise system.
• A host-level monitor to infer connection causation relations.
3
![Page 4: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/4.jpg)
Distributed Data Fusion Framework
We propose a fusion framework, , where:
4
A graph of agents
Local transformation function
Fusion transformation function
A set of temporal propositions
![Page 5: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/5.jpg)
Fusion Graph
55
1 45
6 732
A graph where the edges between the agents represent communication channels
8 9 10
![Page 6: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/6.jpg)
Local Transformation
66
1 732
A function f to estimate local state
![Page 7: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/7.jpg)
Fusion Transformation
77
1 32
A function g that fuses and abstracts local data and received data
4
![Page 8: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/8.jpg)
Temporal Propositions
88
1 32
A temporal proposition defines trigger events
4 10
![Page 9: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/9.jpg)
Lateral Movement DetectionA Case Study
9
![Page 10: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/10.jpg)
Stages of Advanced Persistent Threat (APT) Attacks
Recon
• Port Scans• Vulnerability
Scans
Initial Entry
• Phishing Attacks
• Zero-days
Establish C&C
• Execute Remote commands
• Meterpreter
Lateral Movement
• Use local services
Identify Targets
• Methods to exploit
Actions on Target
• Data Exfiltration
• Target Asset
10
Source: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3142/carbanak-targeted-attack-campaign-hits-banks-and-financial-institutions
![Page 11: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/11.jpg)
Lateral Movement Explained
• Starting from the entry point attacker moves to target host• Uses system services or custom tools
11
Entry Point
Host 1
Host 2
Host 3
Host 4
Host 5
Target Host
![Page 12: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/12.jpg)
In the NewsPersistence, stealthiness, and lateral movement
![Page 13: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/13.jpg)
Motivation
Lateral movement detection is challenging• Need to estimate system-wide state• Information overhead• Attacker uses legitimate network services• Requires a global clock
Lateral movement detection enables proactive prevention and response before the actual damage (e.g., data exfiltration)
13
![Page 14: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/14.jpg)
Lateral Movement Detection Overview
14
![Page 15: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/15.jpg)
System Model
15
Cluster 1Cluster 2
![Page 16: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/16.jpg)
Lateral Movement
16
13
4
562
Entry Point
Host 1
Host 2
Host 3
Host 4
Host 5
Target Host
C1C2
A critical step during APT to move from the entry point to target host
L2 L1
GL
![Page 17: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/17.jpg)
Inside Host 1
17
Local agent infers connection causation using the Process Communication Graph
Collect timestamped events of:• Processes running• Process communication (pipes, messages,…)• Network connections• File access
The agent creates a timed directed graph of communication between processes
Causation is inferred via a path between incoming and outgoing connections
![Page 18: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/18.jpg)
Inside Host 1
18
Connection 1 (C1)Connection 2 (C2)
P1P4
P3
T=0
(Fork)T=1
Write fileT=2
Start app using imageT=3
T=4
Local agent infers connection causation using the Process Communication Graph
![Page 19: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/19.jpg)
Inside Host 1
19
Local agent infers connection causation using the Process Communication Graph
Connection 1 (C1)Connection 2 (C2)
T=0T=4 Caused
C1 ▷ C2 ⇒ t(C1)<t(C2)
![Page 20: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/20.jpg)
Lateral Movement
20
13
4
56
GL
L1L2
Entry Point
Host 1
Host 2
Host 3
Host 4
Host 5
Target Host
A critical step during APT to move from the entry point to target host
C1C2
C1 ▷ C2
C3C42
C2 ▷ C3
C3 ▷ C4
![Page 21: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/21.jpg)
Inside Cluster Leader 1
21
C1 ▷ C2
C2 ▷ C3
C3 ▷ C4
Cluster head maintains Host Communication Graph
Host 1
Host 2
Host 3Host 4
Incoming Causation Events:
Agents do not need to synchronize clocksC1 ▷ C2 ▷ C3 ▷ C4
⇒ t(C1)<t(C2)<t(C3)<t(C4)
![Page 22: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/22.jpg)
Lateral Movement
22
13
4
56
Entry Point
Host 1
Host 2
Host 3
Host 4
Host 5
Target Host
A critical step during APT to move from the entry point to target host
C1C2
C1 ▷ C2
C3C4C5
C62
C2 ▷ C3
C3 ▷ C4
C4 ▷ C5 C5 ▷ C6
Cluster1 ▷ C4 Cluster2 ▷ C6
L2 L1
GL
![Page 23: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/23.jpg)
Discussion
23
13
4
56
Entry Point
Host 1
Host 2
Host 3
Host 4
Host 5
Target Host
A critical step during APT to move from the entry point to target host
C1C2
C1 ▷ C2
C3C4C5
C62
C2 ▷ C3
C3 ▷ C4
C4 ▷ C5 C5 ▷ C6
Cluster1 ▷ C4 Cluster2 ▷ C6
L2 L1
GL
The load of system-wide lateral movement chain collection is distributed over all agents
The method can fuse all process level information without overloading a single monitoring server
![Page 24: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/24.jpg)
Results
• Simulation-based evaluation• Evaluated storage and processing overhead, fairness of resource
consumption, and quality of local state• Clustering improves the scalability• Better fairness and quality can be achieved through topology-aware clustering
of hosts
• Implemented a prototype of host-level process monitor• Using DTrace on OS X• Overhead is manageable
![Page 25: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/25.jpg)
Conclusion
The data fusion framework is a generalized method for fusing monitoring information
Hierarchical fusion framework distributes the fusion loads across the network
Process communication at the host-level infers connection relations
Detection of malicious chains is not investigated• Work provides a needed step towards the goal
25Lateral Movement Detection Using Distributed Data Fusion. Ahmed Fawaz, Atul Bohara, Carmen Cheh, William H. Sanders. In Proceedings of 35th Symposium on Reliable Distributed Systems (SRDS 2016).
![Page 26: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/26.jpg)
BACKUP SLIDES
26
![Page 27: Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion](https://reader030.vdocuments.site/reader030/viewer/2022041107/5f0a0a1a7e708231d429b8b6/html5/thumbnails/27.jpg)
Image Sources
• Ukrain: http://thehackernews.com/2016/01/Ukraine-power-system-hacked.html
• Target: https://securityledger.com/2015/12/target-agrees-to-pay-39m-to-banks-for-data-breach-reuters/
• OPM: http://thehackernews.com/2015/09/opm-hack-fingerprint.html
• Stuxnet: http://www.mapsofworld.com/around-the-world/recent-hacking-incidents.html