Computer networks are increasingly under attack from malicious actors, including both actors with legitimate access to networks, and actors without such access. These targeted attacks may involve the malicious actor establishing a foothold in the network, conducting reconnaissance, moving laterally within the network, acting on targets and assets within the network, exfiltrating data, and more. Organizations may invest significant resources attempting to detect and mitigate attacks. Such detection or mitigation may focus on the network traffic, attempting to discern potentially malicious activity from normal, permissible activity. Activity may be considered potentially malicious, rather than actually malicious, in order to, for instance, avoid so-called “false positive” detection of malicious activity.
Network accounts may be entities for which authentication and authorization policies and processes have been configured within the computer network. In some cases, malicious actors may rely on compromised network accounts to engage in malicious activity. Network accounts may be compromised in various ways, including, for example, by credential hijacking (e.g., through keylogging or memory scraping), creation of new credentials by malicious actors, and account impersonation. Additionally, some malicious actors may attempt to circumvent proper authentication protocols within the computer networks. Some authentication protocols may operate using, for example, security access tickets, which allow parties communicating over a non-secure computer network to authenticate their identity to one another in a secure manner. Examples of authentication protocols include, for instance, the Kerberos protocol, Simple and Protected GSSAPI Negotiation Mechanism, S/Key, Secure Remote Password protocol, Host Identity Protocol, etc., which may operate in Windows® networks or other types of networks. Because these authentication protocols encrypt data transmitted between network accounts and other resources, malicious actors sometimes rely on the fact that the communications are encrypted to conceal attacks. For example, attackers may include malicious code, instructions, or data in encrypted sessions, which may appear as legitimate encrypted user communications.
Thus, there is a need for detection of potentially malicious activity in computer networks. This potentially malicious activity may relate to authentication protocols within the network and/or to any other activity that can be abused or exploited by malicious actors. There is a further need for mitigation and/or remediation controls in computer networks. Such mitigation and/or remediation controls may respond to detected potentially malicious activity in order to, for example, prevent or minimize harm to an organization and/or computer network.