Proposed Framework for Network Lateral Movement Detection Based On User Risk Scoring in SIEM

• Published in: 2018 2nd International Conference on Telematics and Future Generation Networks (TAFGEN) pp. 149 - 154
• Main Authors: Lah, Airull Azizi Awang, Dziyauddin, Rudzidatul Akmam, Azmi, Marwan Hadri
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.07.2018
• Subjects: Authentication; Communication networks; detection; encryption; Feature extraction; Firewalls (computing); intrusion; lateral movement; Monitoring; security; SIEM; Telematics; user risk scoring
• DOI: 10.1109/TAFGEN.2018.8580484

Network lateral movement or simply called lateral movement is the latest techniques used by cyber attackers to progressively move through a network while they search and gathered key information data to be used for their cyber-attacks. The best defense mechanism to neutralize this attack method is by correlating data from various sources to reveal the structure and perpetual attack patterns. In this paper, we proposed a framework for lateral movement detection based on pattern risk scoring. Users are segmented into clusters and each cluster were assigned a profile. The user who breaches the profile is given a score rating subject to the relationship and accessing patterns. The user with high score is quarantined while low score user is monitored. Any outgoing traffic from the users is temporarily hold whilst the server verifies the destination address. The proposed framework in this paper can be integrated into the existing network security devices such as next-generation firewall, Advanced Persistent Threat (APT) or Security Information and Event Management (SIEM) to improve the lateral movement detection.