# The epidemiology of lateral movement: exposures and countermeasures with   network contagion models

**Authors:** Brian A. Powell

arXiv: 1903.07741 · 2019-08-27

## TL;DR

This paper models lateral movement in computer networks as a contagion process, using graph analysis to identify key vulnerabilities and evaluate countermeasures to prevent adversaries from spreading across systems.

## Contribution

It introduces a network contagion model for analyzing lateral movement, identifying critical accounts and systems, and assessing the impact of mitigations in real Windows networks.

## Key findings

- Disabling remote logins reduces lateral movement.
- Preventing credential caching curtails privilege escalation.
- Graph measures identify key exposure points.

## Abstract

An approach is developed for analyzing computer networks to identify systems and accounts that are at particular risk of compromise by an adversary seeking to move laterally through the network via authentication. The dynamics of the adversary are modeled as a contagion spreading across systems linked via authentication relationships derived from Administrator account access and active session data. The adversary is assumed to traverse the network via credential chaining, where the adversary steals credentials from one system, uses them to authenticate to another, and repeats the process. Graph topology measures are used to analyze different contagion models applied to a real Windows network for three primary exposures by identifying: accounts which, either individually or collectively, provide wide and far-reaching access to many systems across the network; accounts with notable privilege escalation liability; and "gatekeeper" systems through which the adversary must pass in order to reach critical assets. The approach can be used to test how different mitigations and countermeasures affect these exposures; for example, we find that disabling remote logins by local accounts and implementing protections that prevent the caching of credentials on remote hosts can substantially curtail lateral movement and privilege escalation.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1903.07741/full.md

## Figures

25 figures with captions in the complete paper: https://tomesphere.com/paper/1903.07741/full.md

## References

42 references — full list in the complete paper: https://tomesphere.com/paper/1903.07741/full.md

---
Source: https://tomesphere.com/paper/1903.07741