Blog :: Security Operations

Tracking Malware Lateral Movement

When many of us think about malware, words like ransomware and key loggers immediately come to mind.  Although these types of contagions can certainly be disruptive, an even bigger concern is an advanced persistent threat (APT).  These types of insurgencies are not looking for the quick buck turnaround.  In contrast to mom and pop malware, the APT goal is generally to get in, setup camp and spread by moving laterally within the organization. Rather than making the host suffer for a onetime event, the APT is in it for the long haul.

Advanced Persistent Threats

The reason the APT wants to stay inside an organization indefinitely is to perform reconnaissance for the command and control servers.  They might search for files locally that contain certain names.  They might log key strokes, read emails and look for intellectual property that may provide value to someone on the black market. Generally and APT isn’t interested in disrupting business as usual but, rather they want to compromise the intellectual property that makes the company valuable.

Authentication Credentials

In order to find desired information, the infection needs to spread to other machines that can assist in the overall information gathering effort. To do this, the malware may take advantage of mapped drives or reach out to other machines the local host commonly connects to and this generally requires login credentials.

In the Verizon “2017 Data Breach Investigations Report” it was reported that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

Tracking Malware Lateral Movement

With a very high volume of lateral movements requiring authentication credentials, it became obvious to us that we needed to somehow monitor for authentications that appear out of the norm. As a result, we started maintaining a baseline of every username in the company as well as the corresponding machines that it authenticates to.  Before we started triggering for changes in what employees were authenticating to we decided to allow for moderate changes over time.  This lead to a baseline structure that can evolve as behaviors change however, for variances that are much larger than allowed thresholds, we can trigger events that lead to alarms and notifications.

Below is an example of the hosts that a single username has authenticated to:

discovering malware lateral movement

Building in the above functionality into our flow collector was a logical progression for our Flow Analytics behavior monitoring system. Since we already integrate with Cisco ISE, Microsoft Active Directory, CounterACT, LDAP, Radius and others to gather usernames to IP address pairs, keeping track of who is authenticating to what over time was a relatively simple value add.  It also brings significant value to our customer base.

Building a Behavior Baseline

By learning over a period of days or weeks – who is authenticating to what on a fairly regular basis, we can then start to recognize authentication behaviors that appear irregular or beyond a threshold of tolerance which of course triggers events.  Now you can begin to see that once we have the data, we can start discovering what could be malware movement within the company.

Start Discovering Malware Movement

With the lions share of the most insidious forms of infections using stolen credentials for malware lateral movement, it seems obvious that corporations need to move toward some sort of authentication name and IP address pair behavior monitoring.  Reach out to our team to learn more about this progressive strategy for uncovering how 81% of the malware on the market is spreading on internal networks.