Tomohiko Yano

Abstract

It becomes difficult to detect attackers intruding in the enterprise network.
Attackers often perform lateral movement using stolen valid credentials so as to not
leave evidence in the targeted network.

We can leverage log on events, which show clues of log on to the computer, to identify
these attacks. However, from log on events, we can only get information about computer
names and account names. Therefore, we cannot detect these attacks because we cannot
actually determine whether an attacker or valid user logged in. Even for security
experts, these attacks are difficult to detect because it is necessary to analyze
a large amount of logs in light of information about the operation status of computers
and accounts.

In this research, we propose a method to detect lateral movement across valid accounts
by using not only log on events, but also information on human behavior in the physical
environment obtained from sensors and input devices.
Using physical environment information, it is possible to discover this lateral
movement rapidly if the log on event occurs even though the employee is not in the
physical environment. Furthermore, we can detect attacks independent of knowing the
normal operation status.

We built two systems to demonstrate the effectiveness of our methods. One utilizes
log on events and distance sensors in front of the computer. The other employs log
on and keystroke events.

In this presentation, we will introduce results from evaluations of the detection
rate using simulated common lateral movement methods. We make sure that we can detect
attacker log on events which could not be distinguished from normal log on events.