Lurking in the Shadows: Top 5 Lateral Spread Threat Behaviors

April 1, 2019
Vectra AI Security Research team
Lurking in the Shadows: Top 5 Lateral Spread Threat Behaviors

As the threat landscape evolves, the Vectra team sees budgets used to double down on larger security teams and expand perimeter defenses. It stems from an effort to increase threat detections and accelerate triage.

Unfortunately, this is a false premise.

Practitioners have acknowledged as much, beginning with a recent technical recommendation from Gartner. In a blog, Gartner makes the salient point that, “For years, the idea of network threat detection was synonymous with intrusion detection and prevention systems (IDPS).”

“Today’s NTA systems carry some ‘DNA’ from those early anomaly-based IDS systems, but they are substantially different in purpose and focus much less on detecting the initial intrusions,” the report states.

“The differences in intent and preferred approaches have expanded the practice of using network data for security to other modern tools, such as NTA.”

While there are several reasons that drive this rationale, the ability to see “east-west” traffic is foundational. An organization is in its most vulnerable state once lateral movement occurs – vulnerabilities have been exploited, perimeters have been evaded.

Attackers quickly race and spread laterally to other strategic points in the network, collect information and ultimately exfiltrate or destroy data.  This is also relevant when the same organizations encounter insider threat activity.

Of course, the approach is philosophically reasonable. But it begs two practical questions: What behaviors should I even be looking for and how do I identify those behaviors efficiently and accurately?

At Vectra, we observe and identify lateral movement behaviors across customers’ networks when they opt-in to share metadata with us. In our most recent Attacker Behavior Industry Report released at the 2019 RSA Conference last month, it was an increasingly common behavior.

As you consider how you equip your security teams to identify lateral movement behaviors, we encourage you to evaluate the efficacy of your processes and tools to identify and quickly respond to the following lateral movement behaviors that we commonly observe:

1. Automated replication

An internal host device sends similar payloads to several internal targets. This might be the result of an infected host sending one or more exploits to other hosts in an attempt to infect additional hosts.

2. Brute force movement

An internal host makes excessive login attempts on an internal system. These behaviors occur via different protocols (e.g. RDP, VNC, SSH) and could indicate memory-scraping activity.

3. Malicious Kerberos account activity

A Kerberos account is used at a rate that far exceeds its learned baseline and most of the login attempts failing.

4. Suspicious administrator behaviors

The host device uses protocols that correlate with administrative activity (e.g. RDP, SSH) in ways that are considered suspicious.

5. Brute force movement via SMB

An internal host utilizes the SMB protocol to make many login attempts using the same accounts. These behaviors are consistent with brute-force password attacks.

Of course, the severity and frequency will vary depending on your industry and line of business. To learn more about the behaviors that are most common in your industry, we encourage you to read our Attacker Behavior Industry Report.

I’d also suggest reaching out to a Vectra representative for a consultative discussion on a full spectrum of attacker behaviors that we have codified into our AI-driven Cognito network detection and response platform.

*Gartner Blog Network, ”Applying Network-Centric Approaches for Threat Detection and Response”  by Anton Chuvakin, March 19, 2019