A Machine Learning Approach for RDP-based Lateral Movement Detection

Detecting cyber threats has been an on-going research endeavor. In this era, advanced persistent threats (APTs) can incur significant costs for organizations and businesses. The ultimate goal of cybersecurity is to thwart attackers from achieving their malicious intent, whether it is credential stealing, infrastructure takeover, or program sabotage. Every cyberattack goes through several stages before its termination. Lateral movement (LM) is one of those stages that is of particular importance. Remote Desktop Protocol (RDP) is a method used in LM to successfully authenticate to an unauthorized host that leaves footprints on both host and network logs. In this thesis, we propose to detect evidence of LM using an anomaly-based approach that leverages Windows RDP event logs. We explore different feature sets extracted from these logs and evaluate various supervised and unsupervised machine learning (ML) techniques for classifying RDP sessions with high precision and recall. We also compare the performance of our proposed approach to a state-of-the-art approach and demonstrate that our ML model outperforms in classifying RDP sessions in Windows event logs. In addition, we demonstrate that our model is robust against certain types of adversarial attacks

Lateral Movement in Windows Systems and Detecting the Undetected ShadowMove

Lateral Movement is a pervasive threat that exists because modern networked systems that provide access to multiple users are far more efficient than their non-networked counterparts. It is a well-known attack methodology with extensive research completed into preventing lateral movement in enterprise systems. However, attackers are using more sophisticated methods to move laterally that bypass typical detection systems. This research comprehensively reviews the problems in lateral movement detection and outlines common defenses to protect modern systems from lateral movement attacks. A literature review is conducted, outlining new techniques for automatic detection of malicious lateral movement, explaining common attack methods utilized by Advanced Persistent Threats, and components built into the Windows operating system that can assist with discovering malicious lateral movement. Finally, a novel method for moving laterally is introduced and studied, and an original method for detecting this method of lateral movement is proposed

A Novel Method for Moving Laterally and Discovering Malicious Lateral Movements in Windows Operating Systems: A Case Study

Lateral movement is a pervasive threat because modern networked systems that provide access to multiple users are far more efficient than their non-networked counterparts. It is a well-known attack methodology with extensive research conducted investigating the prevention of lateral movement in enterprise systems. However, attackers use increasingly sophisticated methods to move laterally that bypass typical detection systems. This research comprehensively reviews the problems in lateral movement detection and outlines common defenses to protect modern systems from lateral movement attacks. A literature review outlines techniques for automatic detection of malicious lateral movement, explaining common attack methods utilized by advanced persistent threats and components built into the Windows operating system that can assist with discovering malicious lateral movement. Finally, a novel approach for moving laterally designed by other security researchers is reviewed and studied, an original process for detecting this method of lateral movement is proposed, and the application of the detection methodology is also expanded

Towards an Efficient Detection of Pivoting Activity

Pivoting is a technique used by cyber attackers to exploit the privileges of compromised hosts in order to reach their final target. Existing research on countering this menace is only effective for pivoting activities spanning within the internal network perimeter. When applying existing methods to include external traffic, the detection algorithm produces overwhelming entries, most of which unrelated to pivoting. We address this problem by identifying the major characteristics that are specific to potentially malicious pivoting. Our analysis combines human expertise with machine learning and is based on the inspection of real network traffic generated by a large organization. The final goal is the reduction of the unacceptable amounts of false positives generated by the state of the art methods. This paper paves the way for future researches aimed at countering the critical menace of illegitimate pivoting activities

Network-based APT profiler

Constant innovation in attack methods presents a significant problem for the security community which struggles to remain current in attack prevention, detection and response. The practice of threat hunting provides a proactive approach to identify and mitigate attacks in real-time before the attackers complete their objective. In this research, I present a matrix of adversary techniques inspired by MITRE’s ATT&CK matrix. This study allows threat hunters to classify the actions of advanced persistent threats (APTs) according to network-based behaviors

How much is too much on monitoring tasks? Visual scan patterns of single air traffic controller performing multiple remote tower operations

The innovative concept of multiple remote tower operation (MRTO) is where a single air traffic controller (ATCO) provides air traffic services to two or more different airports from a geographically separated virtual Tower. Effective visual scanning by the air traffic controller is the main safety concern for human-computer interaction, as the aim of MRTO is a single controller performing air traffic management tasks originally carried out by up to four ATCOs, comprehensively supported by innovative technology. Thirty-two scenarios were recorded and analyzed using an eye tracking device to investigate the above safety concern and the effectiveness of multiple remote tower operations. The results demonstrated that ATCOs' visual scan patterns showed significant task related variation while performing different tasks and interacting with various interfaces on the controller's working position (CWP). ATCOs were supported by new display systems equipped with pan tilt zoom (PTZ) cameras allowing enhanced visual checking of airport surfaces and aircraft positions. Therefore, one ATCO could monitor and provide services for two airports simultaneously. The factors influencing visual attention include how the information is presented, the complexity of that information, and the characteristics of the operating environment. ATCO's attention distribution among display systems is the key human-computer interaction issue in single ATCO performing multiple monitoring tasks

Data-driven airport management enabled by operational milestones derived from ADS-B messages

Standardized, collaborative decision-making processes have already been implemented at some network-relevant airports, and these can be further enhanced through data-driven approaches (e.g., data analytics, predictions). New cost-effective implementations will also enable the appropriate integration of small and medium-sized airports into the aviation network. The required data can increasingly be gathered and processed by the airports themselves. For example, Automatic Dependent Surveillance-Broadcast (ADS-B) messages are sent by arriving and departing aircraft and enable a data-driven analysis of aircraft movements, taking into account local constraints (e.g., weather or capacity). Analytical and model-based approaches that leverage these data also offer deeper insights into the complex and interdependent airport operations. This includes systematic monitoring of relevant operational milestones as well as a corresponding predictive analysis to estimate future system states. In fact, local ADS-B receivers can be purchased, installed, and maintained at low cost, providing both very good coverage of the airport apron operations (runway, taxi system, parking positions) and communication of current airport performance to the network management. To prevent every small and medium-sized airport from having to develop its own monitoring system, we present a basic concept with our approach. We demonstrate that appropriate processing of ADS-B messages leads to improved situational awareness. Our concept is aligned with the operational milestones of Eurocontrol’s Airport Collaborative Decision Making (A-CDM) framework. Therefore, we analyze the A-CDM airport London–Gatwick Airport as it allows us to validate our concept against the data from the A-CDM implementation at a later stage. Finally, with our research, we also make a decisive contribution to the open-data and scientific community