Readiness for Tailored Attacks and Lateral Movement Detection

Kellenberger, Lukas and Mattes, Claudio (2019) Readiness for Tailored Attacks and Lateral Movement Detection. Student Research Project thesis, HSR Hochschule für Technik Rapperswil.

[thumbnail of HS 2018 2019-SA-EP-Mattes-Kellenberger-Readiness for Tailored Attacks and Lateral Movement Detectio.pdf]
Preview
Text
HS 2018 2019-SA-EP-Mattes-Kellenberger-Readiness for Tailored Attacks and Lateral Movement Detectio.pdf - Supplemental Material

Download (2MB) | Preview

Abstract

Introduction:
The number of cyber-attacks where malicious code is used has massively increased recently. These attacks not only settles on the infected system, but can also infect other systems through lateral movements in the network. The outcome is often the complete infiltration of the organization due to the use of advanced persistent threats (APT). Although the configuration of these targeted networks varies depending on the organization, common patterns in the attack methods can be detected. In the analysis of such patterns and events, information and time are key factors to success. Hence, readiness for such an event is a decisive factor.

Procedure:
The project was limited to the operating system Windows 10 Pro or Windows Server 2016. In the elaboration phase, research was carried out into how the goal of determining readiness of a system could be implemented. The decision was made to implement a proof of concept (PoC) based on the paper "Detecting Lateral Movement through Tracking Event Logs" of the "Japan Computer Emergency Response Team Coordination Center". Existing tools and/or products were evaluated, on which can be built on. Unfortunately, no suitable products were found and so we decided that such a PoC should be redesigned. As technology served Windows PowerShell because it is close to the Microsoft operating
system and fulfills the non functional requirement to be a portable script. Moreover, the PoC should be a headless tool which can be started without any GUI and the possibility to be executed offline.

Result:
During the construction phase the "System Readiness Inspector - SRI", a Windows PowerShell script, was developed. This phase was completed using the Scrum method. The SRI has four different modes: Online, Offline, GroupPolicy, AllGroupPolicies. The online mode is limited to the current system and thus determines its readiness. The offline mode is used to be able to make a statement about any system by means of exports. The GroupPolicy mode is limited to a speci�c Group Policy, which is checked for its audit settings. In the AllGroupPolicies mode, all group policies of the current domain are examined.

Item Type: Thesis (Student Research Project)
Subjects: Topics > Software > Agile Software Development > SCRUM
Area of Application > Business oriented
Technologies > Operating Systems > Windows
Technologies > Security
Technologies > Network
Divisions: Bachelor of Science FHO in Informatik > Student Research Project
Depositing User: OST Deposit User
Contributors:
Contribution
Name
Email
Thesis advisor
Brunschwiler, Cyrill
UNSPECIFIED
Date Deposited: 26 Mar 2019 06:48
Last Modified: 26 Mar 2019 06:48
URI: https://eprints.ost.ch/id/eprint/754

Actions (login required)

View Item
View Item