Detecting Lateral Movement in a Network for Combating Advanced Persistent Threats

Abstract

Cyber security has in recent times been on the headlines and an area of great concern and threat to developed nations. These threats have metamorphosed into more advanced threats including a threat termed Advanced Persistent Threat. Advanced Persistent Threat (APT) is a highly coordinated attack method that exploits existing but unknown vulnerabilities. These adversaries are sophisticated, skilled and are highly determined to gain undetected access over an extended period and steal valuable data. APT poses high threat levels to organizations especially the government organizations. This study identified that 60% of the problem is the inability to detect penetration using traditional mitigation methods. The APT attack operates in phases which include: selecting a target, information gathering, gaining access, exploitation, operation, data discovery and collection, and data exfiltration listed from the first to the seventh phase. The fifth and sixth phase of the process deals with the lateral movement (spread) of malwares after internal reconnaissance is done. This study uses a statistical analysis approach on a dataset containing 939,394 payloads, and identifies patterns key in accurately identifying malicious verses normal data traffic. The attributes that showed a difference were source port and size in bytes. Results show that the ports used for scanning attacks are 90% unassigned ports and dynamic/private ports and, utilize data sizes of almost zero bytes. These patterns that form rules, detect the presence of APT attacks in a network. This approach is in line with CORBIT 5 and ISO no. ISO/IEC 27033-4:2014.