Authors: Tomohiko Yano
DFRWS USA 2019
It becomes difficult to detect attackers intruding in the enterprise network. Attackers often perform lateral movement using stolen valid credentials so as to not leave evidence in the targeted network. We can leverage log on events, which show clues of log on to the computer, to identify these attacks. However, from log on events, we can only get information about computer names and account names. Therefore, we cannot detect these attacks because we cannot actually determine whether an attacker or valid user logged in. Even for security experts, these attacks are difficult to detect because it is necessary to analyze a large amount of logs in light of information about the operation status of computers and accounts.
In this research, we propose a method to detect lateral movement across valid accounts by using not only log on events, but also information on human behavior in the physical environment obtained from sensors and input devices. Using physical environment information, it is possible to discover this lateral movement rapidly if the log on event occurs even though the employee is not in the physical environment. Furthermore, we can detect attacks independent of knowing the normal operation status. We built two systems to demonstrate the effectiveness of our methods. One utilizes log on events and distance sensors in front of the computer. The other employs log on and keystroke events. In this presentation, we will introduce results from evaluations of the detection rate using simulated common lateral movement methods. We make sure that we can detect attacker log on events which could not be distinguished from normal log on events.