Network attacks are getting more complicated in today’s security environment. To obtain basic access information, attackers use various methods such as Phishing attack or Malware infection. After they enter the relevant IT system, they disguise as the user with wide access authorization while trying to increase their privileges. Many institutions do not have the staff, tools or bandwidth that will detect any extraordinary activities. After the attacker leaks into the network, it may take them days or weeks to discover the weaknesses in the systems. It is necessary for the lateral movements in this time period to be detected. Lateral movement refers to the gradual movements of cyber attackers, and the techniques they use to search for important targeted data and assets. It is necessary for the lateral movements in this time period to be detected. Lateral movement refers to the gradual movements of cyber attackers, and the techniques they use to search for important targeted data and assets.
Lateral movement activities can be analyzed and detected by Logsign SIEM via pre-defined correlations and Cyber Threat Intelligence (TI) service. Audit logs, process formation logs, Firewall, IDS/IPS, and EDR logs are used during the detection process.
Lateral movements that can be detected as pre-defined by Logsign SIEM:
Detecting Compromised User
Logsign SIEM identifies abnormal behavior of users by means of correlation. For instance, Logsign SIEM creates alerts to warn relevant IT managers in case of access to extraordinary data or systems at extraordinary hours.
Detecting Suspicious Privileged Authorization Increase
Main target is to detect privileged user account accesses. Logsign SIEM immediately identifies users that increase authorization for critical systems.
Command and Control (C&C) Communication
Logsign SIEM may associate the network traffic with Cyber Intelligence Module to discover malware that communicates with external attackers. This refers to a compromised user account.
Detecting Data Leakage
You can use Logsign Correlation and Cyber Threat Intelligence (TI) service to analyse incidents that may seem irrelevant – such as USB disc driver adding and process information, personal e-mail services, cloud storage services or creating high data traffic through local network.
It can detect the ciphering of the data on user systems. These abnormal movements on user data may be a ransomware attack.
Detecting Lateral Movements
Lateral Movements can be detected via alert rules created based on the Mitre Attack framework.
Windows file server acts as a file and folder storage that can be accessed by many users. Even though a working environment based on cooperation has many benefits, it may be difficult to prevent unauthorized access by monitoring the authorizations to shared folders.
As a strong Windows command file language, PowerShell is used by both IT specialists and attackers. PowerShell is an on-board command line tool.