Skip to main content
Springer Nature Link
Log in

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2023)

Included in the following conference series:

  • 495 Accesses

Abstract

Pivoting is a sophisticated strategy employed by modern malware and Advanced Persistent Threats (APT) to complicate attack tracing and attribution. Detecting pivoting activities is of utmost importance in order to counter these threats effectively. In this study, we examined the detection of pivoting by analyzing network traffic data collected over a period of 10 days in a campus network. Through NetFlow monitoring, we initially identified potential pivoting candidates, which are traces in the network traffic that match known patterns. Subsequently, we conducted an in-depth analysis of these candidates and uncovered a significant number of false positives and benign pivoting-like patterns. To enhance investigation and understanding, we introduced a novel graph representation called a pivoting graph, which provides comprehensive visualization capabilities. Unfortunately, investigating pivoting candidates is highly dependent on the specific context and necessitates a strong understanding of the local environment. To address this challenge, we applied principal component analysis and clustering techniques to a diverse range of features. This allowed us to identify the most meaningful features for automated pivoting detection, eliminating the need for prior knowledge of the local environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Change history

  • 03 April 2024

    A correction has been published.

Notes

  1. 1.

    https://www.muni.cz/en.

  2. 2.

    https://csirt.muni.cz/?lang=en.

References

  1. Agency, C.I.S.: SamSam Ransomware. https://us-cert.cisa.gov/ncas/alerts/AA18-337A (2018). Accessed 14 Sept 2023

  2. Apruzzese, G., Pierazzi, F., Colajanni, M., Marchetti, M.: Detection and threat prioritization of pivoting attacks in large networks. IEEE Trans. Emerg. Top. Comput. 8(2), 404–415 (2020)

    Article  Google Scholar 

  3. Ayala, L.: Active medical device cyber-attacks. In: Cybersecurity for Hospitals and Healthcare Facilities: A Guide to Detection and Prevention, pp. 19–37. Apress, Berkeley, CA (2016)

    Google Scholar 

  4. Bai, T., Bian, H., Daya, A.A., Salahuddin, M.A., Limam, N., Boutaba, R.: A machine learning approach for RDP-based lateral movement detection. In: 2019 IEEE 44th Conference on Local Computer Networks (LCN), pp. 242–245. IEEE, New York, NY, USA (2019)

    Google Scholar 

  5. Bai, T., Bian, H., Salahuddin, M.A., Abou Daya, A., Limam, N., Boutaba, R.: RDP-based lateral movement detection using machine learning. Comput. Commun. 165, 9–19 (2021)

    Article  Google Scholar 

  6. Bartos, V., Zadnik, M., Habib, S.M., Vasilomanolakis, E.: Network entity characterization and attack prediction. Futur. Gener. Comput. Syst. 97, 674–686 (2019)

    Article  Google Scholar 

  7. Bian, H., Bai, T., Salahuddin, M.A., Limam, N., Daya, A.A., Boutaba, R.: Uncovering lateral movement using authentication logs. IEEE Trans. Netw. Serv. Manage. 18(1), 1049–1063 (2021)

    Article  Google Scholar 

  8. Binde, B., McRee, R., O’Connor, T.: Assessing outbound traffic to uncover advanced persistent threat (2011). SANS Institute

    Google Scholar 

  9. Bowman, B., Laprade, C., Ji, Y., Huang, H.H.: Detecting lateral movement in enterprise computer networks with unsupervised graph AI. In: 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pp. 257–268. USENIX Association, San Sebastian (2020)

    Google Scholar 

  10. Dong, C., et al.: Bedim: lateral movement detection in enterprise network through behavior deviation measurement. In: 2021 IEEE 23rd International Conference on High Performance Computing & Communications; 7th International Conference on Data Science & Systems; 19th International Conference on Smart City; 7th International Conference on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys), pp. 391–398. IEEE (2021)

    Google Scholar 

  11. Dong, C., Yang, J., Liu, S., Wang, Z., Liu, Y., Lu, Z.: C-bedim and s-bedim: lateral movement detection in enterprise network through behavior deviation measurement. Comput. Secur. 130, 103267 (2023)

    Article  Google Scholar 

  12. E-ISAC: Analysis of the cyber attack on the ukrainian power grid (2016). https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/05/20081514/E-ISAC_SANS_Ukraine_DUC_5.pdf

  13. González-Manzano, L., de Fuentes, J.M., Lombardi, F., Ramos, C.: A technical characterization of APTs by leveraging public resources. Int. J. Inf. Secur. 22, 1–18 (2023)

    Article  Google Scholar 

  14. Hofstede, R., et al.: Flow monitoring explained: from packet capture to data analysis with NetFlow and IPFIX. Commun. Surv. Tutorials 16(4), 2037–2064 (2014)

    Article  Google Scholar 

  15. Husák, M., Apruzzese, G., Yang, S.J., Werner, G.: Towards an efficient detection of pivoting activity. In: 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 980–985. IEEE, New York, NY, USA (2021)

    Google Scholar 

  16. Liu, Q., et al.: Latte: large-scale lateral movement detection. In: MILCOM 2018–2018 IEEE Military Communications Conference (MILCOM). IEEE, New York, NY, USA (2018)

    Google Scholar 

  17. Los Alamos National Laboratory. https://networkx.org. Accessed 14 Sept 2023

  18. Marques, R.S., Al-Khateeb, H., Epiphaniou, G., Maple, C.: Apivads: a novel privacy-preserving pivot attack detection scheme based on statistical pattern recognition. IEEE Trans. Inf. Forensics Secur. 17, 700–715 (2022)

    Article  Google Scholar 

  19. Powell, B.A.: Detecting malicious logins as graph anomalies. J. Inf. Secur. Appl. 54, 102557 (2020)

    Google Scholar 

  20. Powell, B.A.: Role-based lateral movement detection with unsupervised learning. Intell. Syst. Appl. 16, 200106 (2022)

    Google Scholar 

  21. Ramaki, A.A., Rasoolzadegan, A., Bafghi, A.G.: A systematic mapping study on intrusion alert analysis in intrusion detection systems. ACM Comput. Surv. 51(3), 1–41 (2018)

    Article  Google Scholar 

  22. Salema Marques, R., Al Khateeb, H., Epiphaniou, G., Maple, C.: Pivot attack classification for cyber threat intelligence. J. Inf. Secur. Cybercrimes Res. 5(2), 91–103 (2022)

    Article  Google Scholar 

  23. Sarafijanovic-Djukic, N., Pidrkowski, M., Grossglauser, M.: Island hopping: efficient mobility-assisted forwarding in partitioned networks. In: 2006 3rd Annual IEEE Communications Society on Sensor and Ad Hoc Communications and Networks, vol. 1, pp. 226–235. IEEE (2006)

    Google Scholar 

  24. Smiliotopoulos, C., Kambourakis, G., Barbatsalou, K.: On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from sysmon logs. Int. J. Inf. Secur. 22, 1893–1919 (2023)

    Article  Google Scholar 

  25. Staniford-Chen, S., Heberlein, L.: Holding intruders accountable on the internet. In: Proceedings 1995 IEEE Symposium on Security and Privacy, pp. 39–49 (1995)

    Google Scholar 

  26. Storm, D.: MEDJACK: hackers hijacking medical devices to create backdoors in hospital networks. https://www.computerworld.com/article/2932371/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html (2015). Accessed 14 Sept 2023

  27. Tankard, C.: Advanced persistent threats and how to monitor and deter them. Netw. Secur. 2011(8), 16–19 (2011)

    Article  Google Scholar 

  28. TrapX Labs. https://securityledger.com/wp-content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-0_6-3-2015-1.pdf (2015). Accessed 14 Sept 2023

  29. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1(3), 146–169 (2004)

    Article  Google Scholar 

  30. ViaSat: KA-SAT Network cyber attack overview. https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview (2022). Accessed 14 Sept 2023

  31. WikiLeaks: Vault7: Archimedes documentation. https://wikileaks.org/vault7/#Archimedes (2017). Accessed 14 Sept 2023

  32. Wilkens, F., Haas, S., Kaaser, D., Kling, P., Fischer, M.: Towards efficient reconstruction of attacker lateral movement. In: Proceedings of the 14th International Conference on Availability, Reliability and Security. ARES 2019, ACM, New York, NY, USA (2019)

    Google Scholar 

  33. Zhang, Y., Paxson, V.: Detecting stepping stones. In: Proceedings of the 9th Conference on USENIX Security Symposium, Vol. 9. p. 13. SSYM 2000, USENIX Association, USA (2000)

    Google Scholar 

Download references

Acknowledgment

This research was supported by project “MSCAfellow5_MUNI” (No. CZ.02.01.01/00/22_010/0003229). The authors would like to thank CSIRT-MU for providing access to real-world data.

Author information

Authors and Affiliations

  1. Institute of Computer Science, Masaryk University, Brno, Czech Republic

    Martin Husák

  2. The Cyber Center for Security and Analytics, The University of Texas at San Antonio, San Antonio, TX, USA

    Martin Husák, Joseph Khoury, Đorđe Klisura & Elias Bou-Harb

  3. Department of Computer Engineering, Rochester Institute of Technology, Rochester, NY, USA

    Shanchieh Jay Yang

  4. Division of Computer Science and Engineering, Louisiana State University, Baton Rouge, LA, USA

    Joseph Khoury, Đorđe Klisura & Elias Bou-Harb

Authors
  1. Martin Husák
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shanchieh Jay Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joseph Khoury
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Đorđe Klisura
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Elias Bou-Harb
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Husák .

Editor information

Editors and Affiliations

  1. University of Albany, Albany, GA, USA

    Sanjay Goel

  2. Universidade Federal do Espírito Santo, Alegre, Brazil

    Paulo Roberto Nunes de Souza

Rights and permissions

Reprints and permissions

Copyright information

© 2024 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Husák, M., Yang, S.J., Khoury, J., Klisura, Đ., Bou-Harb, E. (2024). Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges. In: Goel, S., Nunes de Souza, P.R. (eds) Digital Forensics and Cyber Crime. ICDF2C 2023. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 571. Springer, Cham. https://doi.org/10.1007/978-3-031-56583-0_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-56583-0_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-56582-3

  • Online ISBN: 978-3-031-56583-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics