Toward cyber-resiliency metrics for action recommendations against lateral movement attacks

Abstract

Lateral movement attacks are a serious threat to enterprise security. In these attacks, an attacker compromises a trusted user account to get a foothold into the enterprise network and uses it to attack other trusted users, increasingly gaining higher and higher privileges. Such lateral attacks are very hard to model because of the unwitting role that users play in the attack and even harder to detect and prevent because of their low and slow nature. In this chapter, a theoretical framework is presented for modeling lateral movement attacks and for designing resilient cyber-systems against such attacks. The enterprise is modeled as a tripartite graph capturing the interactions between users, machines, and applications, and a set of procedures is proposed to harden the network by increasing the cost of lateral movement. Strong theoretical guarantees on system resilience are established and experimentally validated for large enterprise networks.