Mandiant, Inc.
Post-intrusion detection of cyber-attacks during lateral movement within networks

Abstract:

A method and system to detect cyber-attacks by analyzing client-server or other east-west traffic within an enterprise network is disclosed. East-west traffic comprises communications between network devices within the enterprise network, in contradistinction to north-south traffic which involves communications intended to traverse the periphery of the enterprise network. The system includes a network interface to receive the network traffic; analysis logic to analyze communications within the received network traffic to identify a set of indicators; correlation logic to assemble one or more groups of weak indicators from the set of indicators, and conduct an analysis to determine whether each of the groups of weak indicators is correlated with known malicious patterns or sequences of indicators, thereby producing at least one strong indicator from which a determination can be made of whether a cyber-attack is being conducted.