Unsupervised Learning for Lateral-Movement-Based Threat Mitigation in Active Directory Attack Graphs

[EN] Cybersecurity threats, particularly those involving lateral movement within networks, pose significant risks to critical infrastructures such as Microsoft Active Directory. This study addresses the need for effective defense mechanisms that minimize network disruption while preventing attackers...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Herranz-Oliveros, David, Tejedor-Romero, Marino, Gimenez-Guzman, Jose Manuel, de la Cruz-Piris, Luis
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:[EN] Cybersecurity threats, particularly those involving lateral movement within networks, pose significant risks to critical infrastructures such as Microsoft Active Directory. This study addresses the need for effective defense mechanisms that minimize network disruption while preventing attackers from reaching key assets. Modeling Active Directory networks as a graph in which the nodes represent the network components and the edges represent the logical interactions between them, we use centrality metrics to derive the impact of hardening nodes in terms of constraining the progression of attacks. We propose using Unsupervised Learning techniques, specifically density-based clustering algorithms, to identify those nodes given the information provided by their metrics. Our approach includes simulating attack paths using a snowball model, enabling us to analytically evaluate the impact of hardening on delaying Domain Administration compromise. We tested our methodology on both real and synthetic Active Directory graphs, demonstrating that it can significantly slow down the propagation of threats from reaching the Domain Administration across the studied scenarios. Additionally, we explore the potential of these techniques to enable flexible selection of the number of nodes to secure. Our findings suggest that the proposed methods significantly enhance the resilience of Active Directory environments against targeted cyber-attacks. This publication is part of project TED2021-131387B-I00 funded by MCIN/AEI/10.13039/501100011033 and by the European Union "NextGenerationEU"/PRTR and of project PID2021-123168NB-I00 funded by MCIN/AEI/10.13039/501100011033/FEDER, UE. Finally, this work is a part of the research project SBPLY/23/180225/000160, which is funded by the EU through FEDER, Spain, and by the JCCM through INNOCAM. David Herranz is also funded by both an FPU grant and a Mobility Grant for Research Staff in Training from the University of Alcala. Herranz-Oliveros, D.; Tejedor-Romero, M.; Gimenez-Guzman, JM.; De La Cruz-Piris, L. (2024). Unsupervised Learning for Lateral-Movement-Based Threat Mitigation in Active Directory Attack Graphs. Electronics. 13(19). https://doi.org/10.3390/electronics13193944