The easiest way to understand lateral movement on the network is to envision attackers pivoting through multiple accounts and systems. They often add permissions and elevate privileges as they go.
Attackers do this to reach high-value targets on your network with an intent to disrupt operations or encrypt and exfiltrate your data.
In the face of modern attacks, network defenders need a new type of tool to detect lateral movement on the network, regardless of encryption.
Attackers are hiding within encrypted traffic, and current approaches fail to detect this crucial stage of a cyberattack.
Research shows attackers now spend more time undetected within a breached network than ever before. It is during this time that lateral movement occurs.
Clearly, security teams need a new method of threat detection.
Encrypted Traffic Analysis Uncovers Lateral Movement
Live Action’s ThreatEye uses Encrypted Traffic Analysis (ETA) combined with machine learning (ML) to detect the stages of lateral movement. This approach looks at the behavior of traffic regardless of its encryption status.
ETA allows defenders to detect anomalies in both encrypted and unencrypted traffic as the stages of lateral movement unfold.
Five stages of lateral movement
- Discovery – what does the organization have of value on the network?
- Access – what kind of credentials are needed to reach the data & systems of value?
- Penetration – using acquired/stolen credentials and pathways to get deeper into the network
- Exploitation – using the network penetration to steal/encrypt data or disrupt net ops
- Repeat these steps
These steps can create a lot of noise. Attackers are hiding that noise within encrypted network traffic. However, Encrypted Traffic Analysis with ML looks at the behavior of encrypted traffic and rapidly detects the noise of lateral movement.
This method identifies unique network behaviors where an endpoint attempts to extend its local associations outside its normal collection of assets. These behaviors can include interactive sessions, stepping stones, data migration, data concentration, and exfiltration.
Encrypted Traffic Analysis Accelerates Detection
Once it detects unexpected actions or behaviors, LiveAction’s ThreaEye NV correlates and enriches the traffic. It adds relevant details, risk scores, and MITRE ATT&CK labeling. This step qualifies, simplifies, and accelerates investigation for defenders and SOCs.
Taking your Network Detection and Response (NDR) strategy to the next level is possible using ThreatEye. Request a personalized demonstration.