Detecting Lateral Movement and Credential Switching: Human vs. Machine
APPROXIMATE READ TIME: 6 MINUTES
Without the advantage of machine learning such tactics can be overlooked. For example, a human will likely not realize that activity A and activity B are two separate pieces of the same attack in the network. Without the understanding that A and B are indeed related, the analyst will miss the correlation and their response will most likely be incomplete.
What is lateral movement?
Security teams need smart, data-enriched timelines with contextual insights to surface attacks that involve lateral movement. This is where machine learning shines within the Exabeam Advanced Analytics platform.
What is lateral movement?
Security teams need smart, data-enriched timelines with contextual insights to surface attacks that involve lateral movement. This is where machine learning shines within the Exabeam Advanced Analytics platform.
Data-driven investigations
The result is a “smart timeline” with the missing details automatically filled in. Exabeam Smart Timelines stitches together both the normal and abnormal behavior for every user, machine, and asset on your network. It automatically baselines normal behavior, so it becomes easy to detect the deviations. Using a pre-generated timeline for every user and device provides insights you may never have been able to surface before. Exabeam Smart Timelines automatically combine sequence, behavior, identity, and scope into a security information model that’s shared with all Exabeam products, giving you a single, unified dashboard view of your entire network operation.
How lateral movement works
The first item to understand is that typical correlation rules, with static alerts generate this sort of view for the analyst.

The following example shows user Barbara Salazar’s timeline and a separate timeline for an account “db_admin”. Without state change tracking, these appear to be two separate unrelated incidents. With proper state change tracking, we can recognize that the attempt to log into the database server as db_admin originated from Barbara Salazar’s workstation. We can now tie these two incidents together and begin to understand the intent of the two otherwise separate actions.

• User bsalazar logs into her workstation
• Her workstation receives a DHCP address
• That workstation attempts to connect using a db_admin account to a remote database server
• User bsalazar is an HR director, not a database admin
• User db_admin runs a query and gets the payroll database
• An outbound file transfer of approximately the same size as the query results occurs.
Asking the analyst to tie together the user bsalazar, workstation IP, hostname, remote server, account db_admin, database query, outbound activity in the example provided would lead them to the following two search queries for Splunk and Elastic.


Tying disparate events into insights through machine learning


