BACK TO SPEAKERS
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. For an effective incident response, investigation and detection of the lateral movement phase becomes critical. One of the methods for investigating attacks is to trace logs that remain on the hosts. However, adequate evidence of lateral movement may not be available on Windows with default settings.
While appropriate configurations of the hosts are required for obtaining sufficient evidences, such settings often result in the increased amount of logs that remain on the hosts. Therefore, it becomes necessary to have knowledge about where on the hosts to investigate for evidences. To lead the investigations, we conducted a research on the necessary log configurations to acquire evidence of tool execution in the lateral movement phase, and closely examined the indicators logged on the hosts. Then, we compiled our findings into a report, and published it on a webpage.
This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. The presentation will also introduce techniques to detect or investigate such incidents by using tools such as Audit Policy and Sysmon.
Keisuke Muda
Internet Initiative Japan Inc
Keisuke Muda is an analyst of the Security Operation Center at Internet Initiative Japan Inc. (IIJ), an Internet service provider company in Japan. As a member of IIJ SOC, he analyzes logs sent from various devices installed at IIJ SOC customers' networks. He also researches and investigates vulnerabilities on software, and when a critical security hole was discovered, he analyzes and summarizes them to share with IIJ customers to ensure their security. Before becoming an analyst, he was working on the system integration. With the background, he also takes roles on enhancing IIJ SOC services and its infrastructures.Tracking APT Lateral Movement with Audit Policy and Sysmon
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. For an effective incident response, investigation and detection of the lateral movement phase becomes critical. One of the methods for investigating attacks is to trace logs that remain on the hosts. However, adequate evidence of lateral movement may not be available on Windows with default settings.
While appropriate configurations of the hosts are required for obtaining sufficient evidences, such settings often result in the increased amount of logs that remain on the hosts. Therefore, it becomes necessary to have knowledge about where on the hosts to investigate for evidences. To lead the investigations, we conducted a research on the necessary log configurations to acquire evidence of tool execution in the lateral movement phase, and closely examined the indicators logged on the hosts. Then, we compiled our findings into a report, and published it on a webpage.
This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. The presentation will also introduce techniques to detect or investigate such incidents by using tools such as Audit Policy and Sysmon.