SaTC: CORE: Medium: After the Breach: Detecting Lateral Movement, Reconnaissance, and Exfiltration in Enterprise Networks
University Of California-San Diego, La Jolla CA
Investigators
Abstract
Large-scale data breaches and ransomware attacks have become a pressing threat for government agencies and corporations alike. However, what distinguishes these events is rarely the technical mechanisms by which unauthorized access was first obtained, but rather the methodical actions taken after gaining such access. Thus, while efforts to protect against initial intrusions remain important, it is clearly every bit as important to develop sound approaches for detecting and subduing the actions of attackers already operating inside an organization. This project tackles precisely this problem: how to detect, identify and remediate malicious actors via their operational actions inside an organization. To address this goal, the project’s novelty is in developing a network analysis system to model the causality of computer and network events – ways in which an action that occurred on one machine can be explained as an attacker pivoting from another machine in pursuit of increased access in an organization. The project’s broader significance and importance are in providing a well-founded rigorous basis for evaluating best practices for detecting and mitigating enterprise-scale data breaches. Using an inferred causal graph of such activities, the investigators develop and evaluate detectors for evidence of internal reconnaissance, lateral movement and external communication. Using both empirical data sources and a simulator for testing a range of enterprise network models, the investigators explore the extent to which this causal framework can distinguish known attacks from the broad range of benign activities that take place. Finally, the project also evaluates the value of such frameworks for both triage and post-incident response, removing the manual work involved in identifying which machines and accounts may have been compromised. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →