Towards Efficient Reconstruction of Attacker Lateral Movement

Organization and government networks are a target of Advanced Persistent Threats (APTs), i.e., stealthy attackers that infiltrate networks slowly and usually stay undetected for long periods of time. After an attack has been discovered, security administrators have to manually determine which hosts were compromised to clean and restore them. For that, they have to analyze a large number of hosts. In this paper, we propose an approach to efficiently reconstruct the lateral movement of attackers from a given set of indicators of compromise (IoCs) that can help security administrators to identify and prioritize potentially compromised hosts. To reconstruct attacker paths in a network, we link hosts with IoCs via two methods: k-shortest-paths and biased random walks. To evaluate the accuracy of these approaches in reconstructing attack paths, we introduce three models of attackers that differ in their network knowledge. Our results indicate that we can approximate the lateral movement of the three proposed attacker models, even when the attacker significantly deviates from them. For insider attackers that deviate up to 75% from our models, the method based on k-shortest-paths achieves a true positive rate of 88% and can significantly narrow down the set of nodes to analyse to 5% of all network hosts.