University of Twente Student Theses

This website will be unavailable due to maintenance December 1st between 8:00 and 12:00 CET.

Anomaly-based detection of lateral movement in a Microsoft Windows environment

Meijerink, M.M.J. (2019) Anomaly-based detection of lateral movement in a Microsoft Windows environment.

[img] PDF
Abstract:Cyber security is a very important topic for organisations and yearly many thousands of incidents occur. Research from 2017 has shown that adversaries managed to avoid detection for a median time of 101 days after intruding in the information technology (IT) systems of a targeted organisation. This shows that organisations are insufficiently able to detect intruders in their systems. These long-term intrusions are often executed by sophisticated attackers, typically called advanced persistent threats (APTs). APTs are capable of using a variety of tactics and techniques, one of which is lateral movement. This tactic is the act of adversaries moving from system to system. This enables attackers to extend their influence and reach their objectives by penetrating further into their target’s IT environment. By failing to detect lateral movement, organisations are exposed to leakage of data and attackers increase their chance of staying persistent, even after detection. This thesis first looked into existing detection strategies to research how lateral movement detection could be improved. It was found that promising techniques existed using host-based data. Of particular interest were techniques which deduced deviations from existing logon patterns. However, oftentimes the enormous amount of data gathered was a bottleneck to implement these techniques in a centralised security information and event management (SIEM) solution. Given the detection techniques found in existing literature, this thesis implemented two host-based anomaly detection approaches for the detection of anomalous logon patterns. Unlike previous work, the implemented detection techniques were adapted to be executed based on individual machines. This allowed to evaluate whether detection can be distributed to the endpoints in an organisation. Because most enterprise-size companies use Microsoft Windows, detection efforts were focused towards a Microsoft Windows environment. The Windows security event log is chosen to supply the data used for the detection approaches, because related work has shown its potential. However, little research focused on this natively available logging, despite its widespread availability to security monitoring and incident response teams. To evaluate the implemented anomaly detection approaches, this research gathered operational security event logs from an enterprise-size company. Additionally, a professional red team has been tasked to execute lateral movement in a typical enterprise IT environment. The logon records of the operational security event logs have been combined with the logon records from the attack environment into a dataset featuring 58 operational event logs. This resulted in a realistic dataset to test the developed anomaly detection approaches. The anomaly detection approaches have been implemented based on clustering, using HDBSCAN, and a statistical technique, using principal component based classification (PCC). The results indicate that both approaches are able to identify deviating logons based on the Windows security event log. Clustering achieved a true positive rate (TPR) of 85.63% with an 8.29% false positive rate (FPR). PCC was able to detect less malicious logons with a TPR of 59.81%, however, better performance with respect to the FPR, 4.70%, was achieved as well. This thesis shows that anomaly detection based on the Windows security event log of an individual system is an effective method for the detection of lateral movement. From the perspective of a security monitoring architecture, the main contribution of this approach is the conclusion that it is possible to distribute part of the detection efforts of a centralised monitoring solution, such as a SIEM solution, toward the individual workstations in an organisation's environment.
Item Type:Essay (Master)
KPMG, Amstelveen, The Netherlands
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page