Mandiant, Inc.
Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks

Abstract:

A centralized aggregation technique detects lateral movement of a stealthy (i.e., covert) cyber-attack in an enterprise network. A data center security (DCS) appliance may be located at a data center of the enterprise network, while a malware detection system (MDS) appliance may be located at a periphery of the network, an endpoint may be internally located within the enterprise network and an attack analyzer may be centrally located in the network. The appliances and endpoint may provide results of heuristics to an attack analyzer, wherein the heuristic results may be used to detect one or more tools downloaded to the endpoint, as well as resulting actions of the endpoint to determine whether the tools and actions manifest observable behaviors of the lateral movement of the SC-attack. The observable behaviors may include (i) unauthorized use of legitimate credentials obtained at the endpoint, as well as (ii) unusual access patterns via actions originated at the endpoint to acquire sensitive information stored on one or more servers on the network. The attack analyzer may then collect and analyze information related to the observable behaviors provided by the appliances and endpoint to create a holistic view of the lateral movement of the SC-attack.