Lateral Movement Detection
Detect East/West lateral movement and attack activity as adversaries look for systems to compromise, early in the attack cycle.
Overview
Attackers have ways to evade defenses to gain a beachhead on an internal system, but they must then move to expand their foothold. They conduct discovery activities and reconnaissance to find critical AD object, live hosts, and services to exploit, as well as steal and reuse credentials to escalate privileges as they move around within the network.
To combat this threat, organizations are turning to the Attivo Networks ThreatDefend platform’s lateral movement defenses, which impede attackers from gathering intelligence on AD accounts, live hosts, open services, data, and credentials to disrupts their ability to compromise systems and traverse the network undetected. The platform detects and alerts on lateral movement, credential theft, network discovery, and privilege escalation activities quickly and accurately so the organization can react to these attempts early in the attack cycle and reduce the risk of a breach.
Lateral Movement Risk
54% of techniques used to test lateral movement are missed, and 96% of lateral movement behaviors did not have a corresponding alert in the SIEM.
— Mandiant Security Effectiveness Report 2020
80 percent of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials.
— Forrester
The vast majority of malware is written to elevate privileges and move laterally in an environment.
— FireEye M-Trends 2020
Nearly 60% of attacks now involve lateral movement…
— Carbon Black Global Threat Report 2019
Detect and Disrupt Malicious East/West Traffic
The ThreatDefend platform offers mechanisms to detect and disrupt intelligence gathering, network discovery, credential theft, and other lateral movement activities through the Endpoint Detection Net (EDN) family or products and the BOTsink deception server with overlapping and supporting functions disrupt the attack and impede the attackers’ progress. These alerts during the reconnaissance, lateral movement, and privilege escalation phases of the attack to give organizations early warning that attackers are attempting to infiltrate their networks.
Detect and Disrupt
The ThreatDefend platform offers mechanisms to detect and disrupt intelligence gathering, network discovery, credential theft, and other lateral movement activities.
- Detects attempts to steal credentials or unauthorized AD queries
- Stores deceptive credential and data on endpoints that lead to decoys
- Returns fake results on unauthorized AD queries that lead to decoys
- Hides local administrator accounts, files, folders, removable storage, or cloud and network shares
- Detects inbound or outbound attempts to fingerprint hosts or connect to non-active ports and forwards the traffic to decoys for engagement
- Isolates attacking systems by forwarding all outbound traffic to decoys
- Creates network decoys to engage with attackers
- Detects network discovery and MitM activity
- Alerts on attacker engagement
- Records all attack and communications activities
- Collects forensic evidence
Benefits
Organizations choose Attivo Networks detection because:
- Get substantiated detection of discovery and lateral movement activities.
- Deny attackers the ability to move laterally while remaining undetected.
- Derail attacker discovery attempts to fingerprint systems for attack.
- Misdirect and misinform attacker attempts to collect data for the attack
- Negate attacker attempts to escalate privileges to progress the attack
- Mitigate attacker damage by isolating communications to the decoy environment.
“The most important thing you do is provide me alerts based on confirmed activity… you are my eyes and ears on the inside of my network… the nerve center”
— Sr Director Info Sec at Top 50 Retail Organization