The epidemiology of lateral movement: exposures and countermeasures with network contagion models

An approach is developed for analyzing computer networks to identify systems and accounts that are at particular risk of compromise by an adversary seeking to move laterally through the network via authentication. The dynamics of the adversary are modeled as a contagion spreading across systems linked via authentication relationships derived from Administrator account access and active session data. The adversary is assumed to traverse the network via credential chaining, where the adversary steals credentials from one system, uses them to authenticate to another, and repeats the process. Graph topology measures are used to analyze different contagion models applied to a real Windows network for three primary exposures by identifying: accounts which, either individually or collectively, provide wide and far-reaching access to many systems across the network; accounts with notable privilege escalation liability; and "gatekeeper" systems through which the adversary must pass in order to reach critical assets. The approach can be used to test how different mitigations and countermeasures affect these exposures; for example, we find that disabling remote logins by local accounts and implementing protections that prevent the caching of credentials on remote hosts can substantially curtail lateral movement and privilege escalation.