Qosmos

Security

DPI for Lateral Movement Detection

No organization is immune from malware attacks. Malware tries to penetrate networks through a variety of ways: email phishing, a compromised external drive, an infected personal device, an IT misconfiguration or other unknown exploit. However, once it has gained entry to the network, the attack typically evolves through the different stages of the cyber kill chain. It carries out early reconnaissance, creates a state of persistence, seeks access to the outside world through a Command & Control server, and then initiates a series of lateral movements (access to resources, propagation, privileges, etc.), until it reaches its final goal of data exfiltration, data destruction, or demand for ransom.

The Cyber Kill Chain

 

Lateral Movement Generates Detectable Network Traffic

During the lateral movements phase, an attack generates specific types of network traffic as it gathers valuable information for exfiltration. It is here that it becomes most vulnerable to detection. However, distinguishing potential threats from legitimate traffic requires the management and analysis of huge amounts of data often complicated by the high number of false positives.

 

DPI is Highly Effective in Accurately Detecting Lateral Movement in Real-Time

Qosmos ixEngine, based on advanced DPI technology, analyzes traffic flows in real-time, using an extensive library of over 3000 protocols and extracting up to 4500 application metadata in order to distinguish abnormal network-based lateral movements, such as the following, from normal activity:

  • File shares
  • Remote desktop, VNC, TeamViewer, Ammyy Admin
  • Port scan
  • Windows Management Instrumentation (WMI)
  • Active directory & admin shares
  • ARP spoofing

As a result, network-based lateral movements are rapidly detected allowing rapid containment of attacks and remediation. The protocol information and metadata can also be used to improve the results of user behavior analysis and machine learning, and to enable mitigation at each stage of the kill chain, improving the effectiveness of security solutions.