PNNL

Abstract

Most cyber network attacks begin with an adversary gain- ing a foothold within the network and proceed with lateral movement until a desired goal is achieved. The mechanism by which lateral movement occurs varies but the basic signa- ture of hopping between hosts by exploiting vulnerabilities is the same. Because of the nature of the vulnerabilities typ- ically exploited, lateral movement is very difficult to detect and defend against. In this paper we define a dynamic reach- ability graph model of the network to discover possible paths that an adversary could take using different vulnerabilities, and how those paths evolve over time. We use this reacha- bility graph to develop dynamic machine-level and network- level impact scores. Lateral movement mitigation strategies which make use of our impact scores are also discussed, and we detail an example using a freely available data set.