In the game of whack-a-mole, the player’s objective is to hit a target that keeps popping up in different places. It’s a fun game that exercises one’s reflexes and motor skills.
Unfortunately, similar games are played every day in security operation centers across many organizations, irrespective of their size (which is not fun). What makes it hard for the incident responders is the movement of the adversary – hopping from one endpoint to another, from one workstation to another. This is called lateral movement. There are many reasons why attackers move laterally – they do so to establish another persistence point in the network (the so-called “beachhead”), to steal data from a server, and sometimes to prepare the workstation for the next phase of attack (network enumeration or credentials stealing, for example).
Chasing such malicious activity is a time-consuming and very difficult task. The network monitoring tools may be able to record all of the intra-network activity, and the endpoint logs may have picked up adversary activity. The problem lies in finding and correlating those seemingly disparate events in the haystack of terabytes of data. As security personnel, we would like to know how the attacker created a new user account with administrative privileges on the CFO workstation, as well as where the attacker came from. To accomplish this, we need is to sift through thousands of network connections’ information and find which one matches the new account creation. In short, sift through terabytes of data. Not easy.
And what if the attacker has deleted all traces of their actions? There would be no files to examine, no malware to analyze, no logs to look at.
Here at CounterTack, we are determined to solve this problem. Our goal is to not only mine the data and present the user with clear information about who, what, when, where and how, but also to present the information in the form of actionable intelligence. In other words, once we detect malicious activity, we enable you to take immediate remediation actions.
Here we analyze one such use-case, where lateral movement is coupled with remote program execution.
Here's an Example of How This Process Works
Sentinel collects information from all endpoints in the enterprise. To identify lateral movement, Sentinel correlates information about inbound and outbound connections between pairs of endpoints.
Once such correlation is identified, we look for the process that received the connection and if that process has also written any files to the disk.
Since we have the network connection details that define this lateral movement, we also have the information about how the file was copied from the originating to the target endpoint (most often this kind of activity involves the use of hidden shares, like Admin$).
Following the file write operation, we look for an event where the file written has also been used to start a process (file was a process image). We then collect all of the command line arguments when the process was started.
Furthermore, we collect information (including command line arguments and all other relevant process information) of any children processes created.
Therefore, even in the case when the attacker action involved removal of traces (for example, using copy option with psexec: ‘psexec –c evil.exe’, as after the psexec exits, it removes both itself and the evil.exe), all the actions would have been recorded by Sentinel, together with executable files hashes.
The endgame here in tracking lateral movement is all about three objectives:
- Cutting down attacker dwell time and placing behaviors in context for end-users
- Reducing the impact, potential impact or even predicted impact of a particular threat
- Mitigating any damage by knowing exactly how to respond, or automatically triggering a response to quarantine systems to contain that threat