Latte: Large-Scale Lateral Movement Detection

The frequency of recent headlines indicates that attacks on governmental and corporate computer networks are increasing. Once they infect one computer, the attackers are quite likely to explore the network by accessing additional computers. Such “lateral movement”, i.e., the process attackers use to move from one computer to the next in a compromised network, increases the difficulties of preventing data exfiltration. To deal with challenges from large-scale data and little knowledge of the attackers, we propose Latte, a graph-based detection system to discover potential malicious lateral movement paths. We model computers and accounts as nodes, and computer-to-computer connections or user logon events as edges. We address the lateral movement problem in two ways. Starting with an infected computer or account, forensic analysis quickly identifies other compromised computers. To discover a new attack, general detection identifies unknown lateral movement across nodes which are not known to be compromised. A key component for general detection is a remote file execution detector which filters out the majority of the rare paths in the network. We provide separate algorithms for these subproblems and validate their effectiveness and efficiency on two, large-scale datasets, including one with a confirmed attack and one from a penetration test.