Blog - article

Lurking in the shadows: Top 5 lateral spread threat behaviors

By:
Kevin Sheu
April 1, 2019

As the threat landscape evolves, the Vectra team sees budgets used to double down on larger security teams and expand perimeter defenses. It stems from an effort to increase threat detections and accelerate triage.

Unfortunately, this is a false premise.

Practitioners have acknowledged as much, beginning with a recent technical recommendation from Gartner. In a blog, Gartner makes the salient point that, “For years, the idea of network threat detection was synonymous with intrusion detection and prevention systems (IDPS).”

“Today’s NTA systems carry some ‘DNA’ from those early anomaly-based IDS systems, but they are substantially different in purpose and focus much less on detecting the initial intrusions,” the report states. “The differences in intent and preferred approaches have expanded the practice of using network data for security to other modern tools, such as NTA.”

While there are several reasons that drive this rationale, the ability to see “east-west” traffic is foundational. An organization is in its most vulnerable state once lateral movement occurs – vulnerabilities have been exploited, perimeters have been evaded.

Attackers quickly race and spread laterally to other strategic points in the network, collect information and ultimately exfiltrate or destroy data.  This is also relevant when the same organizations encounter insider threat activity.  

Of course, the approach is philosophically reasonable. But it begs two practical questions: What behaviors should I even be looking for and how do I identify those behaviors efficiently and accurately?

At Vectra, we observe and identify lateral movement behaviors across customers’ networks when they opt-in to share metadata with us. In our most recent Attacker Behavior Industry Report released at the 2019 RSA Conference last month, it was an increasingly common behavior.

As you consider how you equip your security teams to identify lateral movement behaviors, we encourage you to evaluate the efficacy of your processes and tools to identify and quickly respond to the following lateral movement behaviors that we commonly observe:

  1. Automated replication. An internal host device sends similar payloads to several internal targets. This might be the result of an infected host sending one or more exploits to other hosts in an attempt to infect additional hosts.
  2. Brute force movement. An internal host makes excessive login attempts on an internal system. These behaviors occur via different protocols (e.g. RDP, VNC, SSH) and could indicate memory-scraping activity.
  3. Malicious Kerberos account activity. A Kerberos account is used at a rate that far exceeds its learned baseline and most of the login attempts failing.
  4. Suspicious administrator behaviors. The host device uses protocols that correlate with administrative activity (e.g. RDP, SSH) in ways that are considered suspicious.
  5. Brute force movement via SMB. An internal host utilizes the SMB protocol to make many login attempts using the same accounts. These behaviors are consistent with brute-force password attacks.

Of course, the severity and frequency will vary depending on your industry and line of business.  To learn more about the behaviors that are most common in your industry, we encourage you to read our Attacker Behavior Industry Report.

I’d also suggest reaching out to a Vectra representative for a consultative discussion on a full spectrum of attacker behaviors that we have codified into our AI-driven Cognito network detection and response platform.

*Gartner Blog Network, ”Applying Network-Centric Approaches for Threat Detection and Response”  by Anton Chuvakin, March 19, 2019

About the author

Kevin Sheu

Kevin Sheu leads product marketing at Vectra®. He brings 15 years of product marketing and management consulting experience, where he has demonstrated a passion for product innovations and how they are adopted by customers.

Author profile and blog posts

Most recent blog posts from the same author

Cybersecurity

Lurking in the shadows: Top 5 lateral spread threat behaviors

April 1, 2019
Read blog post
Cybersecurity

Why network metadata is just right for your data lake

April 30, 2019
Read blog post
Security operations

Three cornerstones of the SOC nuclear triad

May 7, 2019
Read blog post