In order to understand the utility of this invention and the role that it plays within a computer security program, it helps to provide some background regarding the process that sophisticated computer network attackers go through when intruding into a computer network from the Internet. When looking at the anatomy of an attack, there are several stages, including an initial point of compromise, an escalation of privileges, a pivot to other hosts, and eventually, data exfiltration. One objective of a computer security program is to prevent attackers from getting to the data exfiltration phase of their attack, and there are a variety of solutions on the market that attempt to stop attacks at each phase. No known solution to the computer security problem provides a comprehensive barrier to attackers.
First, consider the initial point of compromise. Often, the attacker exploits a technical flaw in software that a corporation is running on its endpoint workstations in order to get a first foothold on the corporate network. This could be a bug with a known remediation or patch for it, or this flaw could be unknown to the user and software creator—this is often referred to as a zero day vulnerability. The flaw may not even be technical in nature. Malicious attackers often target computers via social methods such as phishing or by directly attacking applications/servers. In either case, the attacker will coerce the user or application to run malicious code supplied by the attacker. This malicious code will often provide the attacker with control over that computer remotely, such as by opening remote administration of the computer.
Stopping this initial point of compromise can be challenging. While there are technical solutions, such as anti-virus, that look for known malicious files, often attackers are able to get around these solutions. Some of the protections get deployed directly on the endpoint workstation or host. Alternatives to traditional Anti-Virus (AV) include different techniques to keep malicious applications from running, such as application whitelisting, application reputation management, containerization of applications, and application behavioral analytics. Ultimately, however, attackers will often find a way to bypass these protections. For example, using packer/unpacker techniques, attackers can generate unique binaries to bypass AV. Attackers can run code in a pre-approved piece of software like python or a less obvious environment like a macro in excel to bypass application whitelisting. Attackers have multiple techniques for bypassing these technologies and they continue to develop more.
Considerable effort has also been placed into stopping the initial point of compromise at the internal network perimeter. Technologies like firewalls (layer 3/4 and layer 7) or Intrusion Prevention Systems are often used. These often look for known signatures of bad files being transferred over the network or for known malicious hosts attempting communication. Other products attempt to run downloaded files and open attachments to inbound emails in order to see if they are malicious. Trivial techniques such as delayed execution of malicious code can be used to bypass some of these technologies.
Overall, attackers have a number of methods to gain an initial point of compromise. We assume, therefore, that the attacker will ultimately get a foothold in a company's internal corporate network.
Once an attacker has executed their malicious code on an initial point of compromise, allowing for remote access to a computer within a network, the attacker will attempt to escalate their privileges on that computer. This escalation of privileges can be highly technical in nature and may exploit another local vulnerability, but it can also be the result of simple techniques such as password cracking.
Some endpoint security solutions attempt to stop or mitigate privilege escalation. Certain information security best practices can also make this step difficult for the attacker. Attackers, however, are often able to escalate privileges despite these barriers, and we further assume that attackers will be able to gain elevated privileges.
Once an attacker has gained elevated privileges on a computer in a company's corporate network, they will attempt to pivot onto other hosts on the network. Often, the first computer compromised does not have the access or information that the attacker is seeking. As a result, the attacker will attempt to connect to other computers on the network from their initial point of compromise, often using the privileges and access of the user, application, or device they initially compromised. This pivot step, or what is often referred to as lateral movement, typically leverages credential reuse where the attacker attempts to log in to a number of hosts using credentials stolen from the initial point of compromise or from other systems that are breached along the way. The pivot step can also exploit vulnerabilities in software running on internal hosts.
By impersonating users, applications, or devices, attackers can traverse an internal network compromising additional computers until they locate the information or access they seek. This traversal can be directed at specific valuable hosts such as a domain controller or file repository or more broad based where the attacker tries to infect as many hosts as possible. Additional compromise of computers will also allow the attacker to increase the access or credentials available to them.
Best practices to mitigate this lateral movement of the pivot step include segmenting an internal corporate network using firewalls or virtual LANs to break the network up into segments. The resulting segments would be configured with narrow access between each other, theoretically making it more difficult for attackers to access sensitive resources from less sensitive segments. For example, a segmented network could be configured such that certain desktop workstations on one segment are not able to log in to a production database on another segment. Segmenting an internal corporate network, however, is difficult in practice. The cost of segmenting networks in terms of the physical infrastructure work required as well as the potential disruption to day-to-day corporate business activities is very high, and as a result, many organizations have inadequate internal network segmentation.
Once an attacker has successfully found the information or access they were seeking, they will then send copies of that data to themselves. This is referred to as exfiltration and can vary in size depending on the information being sought. Data can be exfiltrated over the network or via other means, such as removable media. A number of solutions exist in the data leakage prevention space that are intended to prevent data exfiltration. As will be appreciated by one skilled in the art, however, existing solutions are being constantly tested by new attack techniques.
To investigate or identify breaches, some organizations use the NetFlow standard network protocol to gain visibility into internal network activity. On certain network switches, there exists an ability to send NetFlow data (metadata about the traffic going through the switch) to a 3rd party application/repository. NetFlow data can include information about what hosts are connecting to what other hosts. This information, in turn, can be used as an investigative tool, and if properly modeled, could also show unusual traffic connecting between hosts. This type of analysis, however, is merely investigative and cannot itself block traffic or enforce segmentation.