Artificial Reality | The PatternEx Blog

Collections of the thoughts and the people behind the PatternEx Virtual Analyst Platform powered by AI2.

Detecting Lateral Movement with Data Science Sugar

Let us review some key insights from another great PatternEx webinar.  This time our guest speaker Adrian Sarno, data scientist at PatternEx, shares his knowledge on security threat tactics and building AI models to detect them faster and more efficiently.    

What I was most impressed with was the way Adrian was able to break down our topic, Lateral Movement detection, into bite sized, use cases to show how AI compares to other detection approaches.

We covered three use cases and did a traditional threat hunting / rule based approach vs AI model based approach with analysis to show how the results perform.  As you can imagine, the topic was very interesting and thus we had a number of questions.  

Over-the-pass-hash (OPTH)

OPTH is an attack that combines a new variant on Kerberos ticketing with new techniques that include privilege escalation and owning the domain controller, among other steps.  However, it is very difficult to detect with traditional rules or threat hunting given that there are not many IOCs.  In addition, the attacker can more easily bypass detection by using the default encryption type.  

The AI model takes a different approach, that is not possible to do manually or via basic ML algorithms alone.  What features and models should be used?   And how do you measure effectiveness?  Well, no spoilers - see the on demand webinar recording.

Obfuscation

Obfuscation uses PowerShell scripts, among other steps, to execute commands to increase lateral movement and bypass detection.  Turns out that this attack as well can bypass traditional rules based detection.  We saw some good examples of why and how the bypass works.  The AI detection model was interesting and the references and analysis Adrian did was a very powerful learning aid.  

Adrian did a great job in explaining what he called "Data science sugar" and showing us tables and graphs on how the AI model performs in detection - and how it does it so much faster and without knowing details of the attack or AI.  He also talked about the Confusion Matrix (which was pretty clear actually) - as a way of describing the output and accuracy of a model - and in this case looking at the false positives vs false negatives in the detection of Obfuscation.

If you want to hear more about "data science sugar", you guessed it, check out the on demand webinar recording.

Adrian Sarno 4x5 Small"data science sugar" - Adrian Sarno.  Definition: data, graphs, and charts that get data scientists pretty excited about the results of an AI model.

 

Kerberoasting

Kerberoasting is another attack that leverages the ability to compromise credentials, especially the AD account credentials.  While this attack is pretty well known and many SIEM based rules have been written to find it, the number of parameters and variations required for low false positives is pretty mind boggling.  I have seen a threat hunter suggest a rule for ONE IOC for this attack that was about 3 lines long with over 10 parameters!  Eesh.   So how does AI help here?  Turns out there can be 1,000's of dimensions and 100's of parameters to monitor and AI models can select the features that matter based on data analysis - rather than a static guess.  The on demand webinar recording covers this in more detail.

Summary

At PatternEx we live and breathe the Attack Kill Chain to automate life for all security analysts - from Tier 1 to Tier 3.   PatternEx Virtual Analyst Platform makes the analyst smarter, better, faster - and that is something everyone can agree is awesome.

Check out the AI Goes Sideways: Detecting Lateral Movement on demand webinar for more.

New call-to-action

Topics: Threat Detection AI

Subscribe Now