SaTC: CORE: Medium: After the Breach: Detecting Lateral Movement, Reconnaissance, and Exfiltration in Enterprise Networks

SaTC：核心：中：违规后：检测企业网络中的横向移动、侦察和渗透

• 批准号: 2152644
• 负责人: Stefan Savage
• 金额: $ 120万
• 依托单位: University of California-San Diego
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-06-01 至 2025-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2152644&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; After; Breach

Large-scale data breaches and ransomware attacks have become a pressing threat for government agencies and corporations alike. However, what distinguishes these events is rarely the technical mechanisms by which unauthorized access was first obtained, but rather the methodical actions taken after gaining such access. Thus, while efforts to protect against initial intrusions remain important, it is clearly every bit as important to develop sound approaches for detecting and subduing the actions of attackers already operating inside an organization. This project tackles precisely this problem: how to detect, identify and remediate malicious actors via their operational actions inside an organization. To address this goal, the project’s novelty is in developing a network analysis system to model the causality of computer and network events – ways in which an action that occurred on one machine can be explained as an attacker pivoting from another machine in pursuit of increased access in an organization. The project’s broader significance and importance are in providing a well-founded rigorous basis for evaluating best practices for detecting and mitigating enterprise-scale data breaches.Using an inferred causal graph of such activities, the investigators develop and evaluate detectors for evidence of internal reconnaissance, lateral movement and external communication. Using both empirical data sources and a simulator for testing a range of enterprise network models, the investigators explore the extent to which this causal framework can distinguish known attacks from the broad range of benign activities that take place. Finally, the project also evaluates the value of such frameworks for both triage and post-incident response, removing the manual work involved in identifying which machines and accounts may have been compromised.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

大规模数据泄露和勒索软件攻击已经成为政府机构和企业面临的紧迫威胁。然而，区分这些事件的很少是首次获得未经授权访问的技术机制，而是在获得此类访问后采取的有条理的行动。因此，尽管努力防止最初的入侵仍然很重要，但开发可靠的方法来检测和制服已经在组织内操作的攻击者的行为显然同样重要。这个项目精确地解决了这个问题：如何通过组织内部的操作来检测、识别和修复恶意参与者。为了实现这一目标，该项目的新颖之处在于开发一个网络分析系统来模拟计算机和网络事件的因果关系——在这种情况下，发生在一台机器上的行为可以解释为攻击者从另一台机器转向另一台机器，以追求在组织中增加访问权限。该项目更广泛的意义和重要性在于为评估检测和减轻企业规模数据泄露的最佳实践提供了一个有充分基础的严格基础。利用推断出的此类活动的因果图，调查人员开发和评估了用于内部侦察、横向移动和外部通信证据的探测器。使用经验数据源和模拟器来测试一系列企业网络模型，研究人员探索了这种因果框架在多大程度上可以将已知的攻击与发生的广泛良性活动区分开来。最后，该项目还评估了这些框架在分类和事件后响应方面的价值，从而消除了识别哪些机器和帐户可能已被泄露的手动工作。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

The Challenges of Blockchain-based Naming Systems for Malware Defenders

基于区块链的命名系统对恶意软件防御者的挑战

• 发表时间: 2022
• 期刊: APWG Symposium on Electronic Crime Research (eCrime
• 作者: Randall, Audrey;Hardaker, Wes;Schulman, Aaron;Savage, Stefan;Voelker, Geoffrey M.
• 通讯作者: Voelker, Geoffrey M.

Retroactive Identification of Targeted DNS Infrastructure Hijacking

目标 DNS 基础设施劫持的追溯识别

• DOI: 10.1145/3517745.3561425
• 发表时间: 2022
• 期刊: Proceedings of the 22nd ACM Internet Measurement Conference
• 作者: Akiwate, Gautam;Sommese, Raffaele;Jonker, Mattijs;Durumeric, Zakir;Claffy, KC;Voelker, Geoffrey M.;Savage, Stefan
• 通讯作者: Savage, Stefan