Surgical immunization strategies against lateral movement in Active Directory environments

Abstract

Lateral movement, in which a cyber attacker progresses through an enterprise network in order to compromise its most valuable assets, is a key stage of any intrusion nowadays. Therefore, being able to mitigate lateral movement, be it by slowing down attacker progress or by limiting its reach, is a top priority for enterprise cyber-defence. Due to the inherent complexity of enterprise networks, it is also a paramount challenge. This challenge becomes even more prominent if we take into account the high impact of deploying security countermeasures on the performance or functionality of the network. In this paper we model lateral movement as an infection process and propose a methodology to prioritize which network elements to protect for a more effective and efficient mitigation. To do this we rely on a graph model and graph theoretic metrics taken from epidemiology research, and apply them to the trust relationships in Microsoft Active Directory infrastructures. We propose selective immunization techniques which act as “surgical” countermeasures, by impacting a very reduced ratio of the nodes in the network. Experiments show that the selective immunization strategies we propose effectively mitigate infection spread in these settings while keeping the amount of immunized nodes at a minimum.