Recent Trends and Advances In Malware Lateral Movement Techniques

Today, enterprises tend to use multiple security solutions ranging from perimeter defences like IPS to security solutions within the network like SIEMs and User Behaviour Analytics, as a part of their defence strategy. Apparently, the layered security defence face a common and recurring problem of relying on known behaviours and are rendered inefficient when posed with newer exploitation techniques. Targeted attacks resulting into data breaches usually involve attackers moving laterally inside the network searching for critical network assets and hence it becomes extremely important for analysts to understand the attacker’s lateral movement techniques to be able to strategize or formulate effective defences against them. Lateral movement isthe set of tools and techniques used by the attackers to progressively expand their footholds to other network resources, in a lookout for key network assets to exfiltrate data after bypassing perimeter defences and compromising the host. Attackers have been using variety of post exploitation and lateral movement techniques to achieve their goals ranging from credential theft and finding or enumerating targets to remote code execution on the critical network assets and eventually exfiltrating data. Attackers have been long abusing legitimate windows features like SMB, RPC over SMB, Windows Management Instrumentation, Windows Remote Management, and several other windows features to move laterally within the network. However, attackers continuously evolve their techniques to minimize their footprints on the network, bypass existing defences and lateral movement detection tools. Consequently, it becomes extremely critical to advance the network defences and strategies to counter these attacks.

During this talk, discussing about the various stages of lateral movement from credential theft techniques, privilege escalation and finding network targets to code execution methods, we will retrospect on some of the infamous lateral movement methods and also discuss about some of the recent advances in these techniques like using DCOM for moving inside the network. We will also discuss on how to detect attacker’s lateral movement using network resource deception methods and discuss some of the forward looking ideas on building user behaviour analysis for lateral movement detection.

Key Takeaways from the talk:

Various stages of Lateral movement inside the network after initial compromise.
Techniques used by attackers at each stage of lateral movement.
Some of the recent advances in lateral movement techniques.
Leveraging multiple network deception mechanisms to detect lateral movement.
Some forward looking ideas on User Behaviour Analytics for detecting lateral movement.

Chintan Shah

McAfee

Chintan Shah is currently working as a Lead Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques, advanced threats and malware analysis. Chintan had researched and uncovered multiple targeted and espionage attacks in the past and worked with multiple enforcement agencies and blogging about them. He holds multiple patents in the exploit detection and prevention techniques. His interests lies in software fuzzing for vulnerability discovery, reversing engineering and analysing exploits, malwares and translating to product improvement.

Sponsors and Supporting Organizations

Diamond Sponsors

Platinum Sponsor

Networking Lounge Sponsor

Supporting Organization

Associate Sponsors