SaTC: CORE: Medium: After the Breach: Detecting Lateral Movement, Reconnaissance, and Exfiltration in Enterprise Networks

SaTC：核心：中：违规后：检测企业网络中的横向移动、侦察和渗透

• 批准号: 2152644
• 负责人: Stefan Savage
• 金额: $ 120万
• 依托单位: University of California-San Diego
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-06-01 至 2025-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2152644&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; After; Breach

Large-scale data breaches and ransomware attacks have become a pressing threat for government agencies and corporations alike. However, what distinguishes these events is rarely the technical mechanisms by which unauthorized access was first obtained, but rather the methodical actions taken after gaining such access. Thus, while efforts to protect against initial intrusions remain important, it is clearly every bit as important to develop sound approaches for detecting and subduing the actions of attackers already operating inside an organization. This project tackles precisely this problem: how to detect, identify and remediate malicious actors via their operational actions inside an organization. To address this goal, the project’s novelty is in developing a network analysis system to model the causality of computer and network events – ways in which an action that occurred on one machine can be explained as an attacker pivoting from another machine in pursuit of increased access in an organization. The project’s broader significance and importance are in providing a well-founded rigorous basis for evaluating best practices for detecting and mitigating enterprise-scale data breaches.Using an inferred causal graph of such activities, the investigators develop and evaluate detectors for evidence of internal reconnaissance, lateral movement and external communication. Using both empirical data sources and a simulator for testing a range of enterprise network models, the investigators explore the extent to which this causal framework can distinguish known attacks from the broad range of benign activities that take place. Finally, the project also evaluates the value of such frameworks for both triage and post-incident response, removing the manual work involved in identifying which machines and accounts may have been compromised.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

大规模数据泄露和勒索软件攻击已成为政府机构和企业面临的紧迫威胁。然而，这些事件的区别很少不是首次获得未经授权的访问所采用的技术机制，而是获得此类访问后所采取的有条不紊的行动。因此，虽然防御初始入侵的努力仍然很重要，但显然，开发合理的方法来检测和抑制组织内部已经运作的攻击者的行为也同样重要。 该项目正是解决这个问题：如何通过组织内部的操作行为来检测、识别和修复恶意行为者。为了实现这一目标，该项目的新颖之处在于开发了一种网络分析系统来对计算机和网络事件的因果关系进行建模——在这种方式中，一台机器上发生的操作可以被解释为攻击者从另一台机器转向以寻求增加组织中的访问权限。该项目更广泛的意义和重要性在于，为评估检测和缓解企业规模数据泄露的最佳实践提供了有根据的严格基础。利用此类活动的推断因果图，调查人员开发和评估探测器，以获取内部侦察、横向移动和外部通信的证据。研究人员使用经验数据源和模拟器来测试一系列企业网络模型，探讨了这种因果框架在多大程度上可以区分已知的攻击和发生的广泛的良性活动。 最后，该项目还评估了此类框架对于分类和事件后响应的价值，消除了识别哪些机器和帐户可能受到损害所涉及的手动工作。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

The Challenges of Blockchain-based Naming Systems for Malware Defenders

基于区块链的命名系统对恶意软件防御者的挑战

• 发表时间: 2022
• 期刊: APWG Symposium on Electronic Crime Research (eCrime
• 作者: Randall, Audrey;Hardaker, Wes;Schulman, Aaron;Savage, Stefan;Voelker, Geoffrey M.
• 通讯作者: Voelker, Geoffrey M.

Retroactive Identification of Targeted DNS Infrastructure Hijacking

目标 DNS 基础设施劫持的追溯识别

• DOI: 10.1145/3517745.3561425
• 发表时间: 2022
• 期刊: Proceedings of the 22nd ACM Internet Measurement Conference
• 作者: Akiwate, Gautam;Sommese, Raffaele;Jonker, Mattijs;Durumeric, Zakir;Claffy, KC;Voelker, Geoffrey M.;Savage, Stefan
• 通讯作者: Savage, Stefan