Trick or threat: 5 tips to discovering — and thwarting — lateral movement with data
We know ghouls and ghosts aren’t the only things keeping you up this spooky season. Bad actors are getting smarter with their attacks, using tactics and techniques that baffle even the most seasoned cyber professionals.
Discovering — and thwarting — lateral movement can be particularly difficult because of disjointed but established software security tools that cannot always identify unwarranted access or privilege escalation. Many behaviors, like pivoting between computer systems, devices and applications, can appear as if they’re from a legitimate user, allowing bad actors to go undetected in environments.
Threat hunters are critical to exposing lateral movement activities. But much like hunting monsters in the dark, threat hunting using manual detection processes against large datasets is a scary task — one that is time-consuming and tedious. With the help of advanced tools like AI and machine learning (ML), hunters can analyze massive amounts of data quickly to pick up the faintest signals of nefarious activities. Data breach lifecycles have proven to be up to 108 days shorter compared to organizations that do not use some form of AI/ML in their practice. 1
Best practices for using AI/ML to detect lateral movement
At the end of the day, your threat hunters can still have the advantage. No one knows your environment better than you do. By building AI/ML models fueled by data from your environment, your threat hunters can detect — and ultimately thwart — lateral movement before the bad actors escalate further in the cyber kill chain.
Models, processes, and procedures are often bespoke, but a few time-tested best practices can accelerate threat detections and response. For lateral movement, this might look like using data about your users, their assets, and their business tool access to identify activities that indicate data exfiltration and espionage. Let's take a look at these best practices in the context of a lateral movement use case:
Store as much relevant data as possible for as long as possible. Investigating and finding evidence of lateral movement may require analyzing months or years of data because adversaries can be present but undetected for days, months — or even years. Raw and processed data, which has been deduplicated and contextualized, should be stored in an accessible, cost-effective data storage repository for threat hunters to run their queries.
Create baselines based on business facts and historical actions. Data scientists who work with business data should collaborate with threat hunters to develop and define baselines based on the hypothesis for a given use case. Typically, this means describing the environment or situation ‘right now’ and searching for deviations to indicate malicious activity. Creating proper baselines requires expertise to know what attributes and data points to use and how to use them. Regarding lateral movement, baselines should be based on factual and historical data reflecting business goals, past scenarios, hypotheses or triggers, and infrastructure conditions. Baselines created without context are meaningless.
Use the data with the best tools. Even with AI/ML, human interaction and judgment are still required. But data analysis doesn’t happen by itself. Data is often compiled and aggregated in a data lake, only to be ignored or underutilized. SIEMs can provide short-term storage and analysis of security data, but when you are threat hunting, you need more than just noisy security data. To get the best of both worlds, data transformation needs to be performed early in the pipeline so threat hunters have clean, enriched data they can trust and tools they are familiar with.
Produce accurate, data-driven reports. Producing meaningful KPIs and reports helps executive sponsors find value in threat hunting activities and encourage ongoing program investment. KPIs also help validate the efficacy of hunts even if nothing is found. For example, investigating a suspected lateral movement breach may have found no bad actor activity. The proper reporting underscores and validates the hunt was done soundly and backed up the baselines and KPIs.
Allocate a budget. Threat hunting can be an expensive and active cyber defense activity. When a trail is hot, hunters want to follow it. It’s important to allocate a budget for data storage, internal and outsourced resources, and multiple, compute-intensive queries. Creating a budget ensures that security teams have the resources they need when they need it most. “After the fact” prioritization once a breach or lateral movement has been detected will not only leave the organization at risk but will likely be a slow process or provide inaccurate findings. So, planning, as with any cyber security initiative, pays off.