Unraveling Network-based Pivoting Maneuvers: Empirical Insights and Challenges
Authors | |
---|---|
Year of publication | 2024 |
Type | Article in Proceedings |
Conference | Digital Forensics and Cyber Crime |
MU Faculty or unit | |
Citation | |
Doi | http://dx.doi.org/10.1007/978-3-031-56583-0_9 |
Keywords | pivoting;lateral movement;monitoring;NetFlow |
Attached files | |
Description | Pivoting is a sophisticated strategy employed by modern malware and Advanced Persistent Threats (APT) to complicate attack tracing and attribution. Detecting pivoting activities is of utmost importance in order to counter these threats effectively. In this study, we examined the detection of pivoting by analyzing network traffic data collected over a period of 10 days in a campus network. Through NetFlow monitoring , we initially identified potential pivoting candidates, which are traces in the network traffic that match known patterns. Subsequently, we conducted an in-depth analysis of these candidates and uncovered a significant number of false positives and benign pivoting-like patterns. To enhance investigation and understanding, we introduced a novel graph representation called a pivoting graph, which provides comprehensive vi-sualization capabilities. Unfortunately, investigating pivoting candidates is highly dependent on the specific context and necessitates a strong understanding of the local environment. To address this challenge, we applied principal component analysis and clustering techniques to a diverse range of features. This allowed us to identify the most meaningful features for automated pivoting detection, eliminating the need for prior knowledge of the local environment. |
Related projects: |