Lateral movement has become a staple component used in most wide-scale cyber-attacks on organizations. However, the set of tools for detecting, analyzing, and investigating this key component remains limited. Existing detections are mostly focused on techniques and procedures that abuse the authentication protocol or utilize a vulnerability in its implementation. This is understandable, as such manipulations are easier to detect. However, the most common attack vector does not even have a name. Attacker’s number one attack vector, since the beginning of cyber-attacks has been “obtain a credential, then use it.”
To overcome this issue, a lot of recent techniques are based on finding anomalous authentications and combining them to a lateral movement path. The problem with this approach is that reality shows us that a substantial part of the authentication traffic is considered anomalous but not malicious. This causes an enormous number of false positives and makes such methods impractical.
In August 2021, Grant Ho et al (Ho, 2021) developed the “Hopper” algorithm. The algorithm is based on anomaly detection methods combining knowledge about the servers, users and protocols used in the environment. The algorithm obtains 95% detection of simulated attacks with about 9 false positives a day, a huge improvement comparing methods that came before it. However, the algorithm was trained and tested only on a single environment and simulated attacks, and it might be tailored to this specific environment.