UC Berkeley UC Berkeley Electronic Theses and Dissertations Title Thwarting Sophisticated Enterprise Attacks: Data-Driven Methods and Insights Permalink https://escholarship.org/uc/item/68b8p92j Author Ho, Grant Publication Date 2020 Peer reviewed|Thesis/dissertation eScholarship.org Powered by the California Digital Library University of California Thwarting Sophisticated Enterprise Attacks: Data-Driven Methods and Insights by Grant Ho A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor Vern Paxson, Co-chair Professor David Wagner, Co-chair Professor David Bamman Fall 2020 Thwarting Sophisticated Enterprise Attacks: Data-Driven Methods and Insights Copyright 2020 by Grant Ho 1 Abstract Thwarting Sophisticated Enterprise Attacks: Data-Driven Methods and Insights by Grant Ho Doctor of Philosophy in Computer Science University of California, Berkeley Professor Vern Paxson, Co-chair Professor David Wagner, Co-chair This dissertation builds new defenses to thwart digital attacks on enterprises. Specifically, we develop a set of data-driven insights and methods that enable organizations to uncover and stymie three prominent enterprise attacks: spearphishing, lateral phishing, and lateral movement. For each of these threats, we present new conceptual models that deconstruct each attack into a set of fundamental actions that an attacker must perform in order to succeed, enabling organizations to more precisely search for signs of such malicious activity. The successful detection systems we construct based on these models highlight the value of decomposing and pursuing attacks along two facets: preventing attackers from gaining entry into an enterprise’s network and hunting for attacker activity within an organization’s internal environment. Even with a clear specification of what to look for, uncovering sophisticated attacks has long eluded enterprises because such attacks give rise to a detection problem with two challenging con- straints: an extreme class imbalance and a lack of ground truth. In particular, targeted enterprise attacks occur at a low rate, reflect the work of stealthy attackers (and thus frequently remain un- known and unlabeled), and transpire amidst a sea of anomalous-but-benign activity that inherently occurs within modern enterprise networks. This setting poses fundamental challenges to traditional machine learning methods, causing them to detect an insufficient number of attacks or produce an intractable volume of false positives. To overcome these challenges, we present a new approach to anomaly detection for security settings, specification-based anomaly detection, which we use to construct new detection algorithms for identifying rare attacks in large, unlabeled datasets. Combining these algorithms with the attack models we develop, we design and implement a set of detection systems that collectively form a defense-in-depth approach to unearthing and mitigating enterprise attacks. Through collaborations with three large organizations, we validate the efficacy and practicality of our approach. Given the ability of our systems to detect a wide-range of attacks, the low volume of false positives they generate, and the real-world adoption of many of our ideas, this dissertation illustrates the utility and promise of a data-empowered approach to thwarting enterprise attacks. i Contents Contents i 1 Introduction 1 I Thwarting Attacks at an Enterprise’s Perimeter 7 2 Perimeter Defenses: Introduction and Related Work 8 2.1 Introduction . 8 2.2 Related Work and Background . 9 3 Detecting Credential Spearphishing Attacks 13 3.1 Introduction . 13 3.2 Attack Taxonomy and Security Model . 14 3.3 Datasets . 17 3.4 Challenge: Diversity of Benign Behavior . 19 3.5 Detector Design . 22 3.6 Evaluation and Analysis . 30 3.7 Discussion and Limitations . 35 3.8 Chapter Summary . 37 II Mitigating Attacker Activity within the Enterprise 38 4 Uncovering and Understanding Attacker Behavior within the Enterprise 39 4.1 Introduction . 39 4.2 Related Work and Background . 40 5 Detecting and Characterizing Lateral Phishing 44 5.1 Introduction . 44 5.2 Background . 46 5.3 Data . 47 5.4 Detecting Lateral Phishing . 51 ii 5.5 Evaluation . 53 5.6 Characterizing Lateral Phishing . 57 5.7 Chapter Summary . 70 6 Modeling and Detecting Lateral Movement Attacks 72 6.1 Introduction . 72 6.2 Background . 74 6.3 Data . 76 6.4 Hopper: System Overview . 77 6.5 Generating Causal Login Paths . 81 6.6 Detection and Alerting . 84 6.7 Evaluation . 89 6.8 Chapter Summary . 96 7 Conclusion and Future Directions 97 Bibliography 100 A Detecting Credential Spearphishing Attacks 111 A.1 Feature Vectors and Comparators per Sub-Detector . 111 A.2 Preventative Interstitials . 111 B Detecting and Characterizing Lateral Phishing 115 B.1 Detector Implementation and Evaluation Details . 115 B.2 Additional Detection Approaches . 116 B.3 Lateral Phishing: Additional Temporal Dynamics . 120 B.4 Exploits Used in Lateral Phishing . 124 B.5 Additional Figures . 126 C Detecting Lateral Movement Attacks 129 C.1 Filtering Spurious Logins . 129 C.2 Benign Movement Scenarios . 130 C.3 Synthesizing Realistic Attacks . 132 C.4 Additional Alert Details . 135 C.5 Baseline Evaluation Details . 136 iii Acknowledgments A wonderful group of friends, colleagues, mentors, and family members have helped me do great work over the course of my Ph.D. and have filled these past few years with happy memories. I could not have been more blessed to have two outstanding advisors: Vern Paxson and David Wagner. Like all good advisors, both of you provided abundant support and encouragement: from venting with me about Reviewer #2, to brainstorming how we should overcome a technical hurdle, to diving into a cool new finding, I left every one of our discussions with a sense of clarity and excitement. At the same time, you never shied away from constructively saying exactly what you thought, providing me with a fountain of sage advice, rebuttals to flawed approaches, and wonderful extensions to our ideas. Even though I did not heed all of your advice and suggestions (often to my detriment), I appreciate the freedom you gave me to chart my own course and uncover new results that sometimes surprised us all. When I become a professor, I know I will draw heavily from our advising relationship; and hopefully I can guide my students through an equally inspiring and enriching experience. In addition to my formal advisors, I had the privilege to work with two other incredible mentors: Stefan Savage and Geoff Voelker. Working with the two of you during the second half of my Ph.D. was one of the best decisions I ever made in graduate school. I have grown tremendously from the technical feedback and career advice you both have provided. The animated discussions that I had with you and my advisors remain some of my favorite memories of graduate school and helped hone my taste for good research. Additionally, I want to thank Dan Boneh for serving as my first research mentor during my undergraduate years. Your enthusiasm for security and research, and the guidance you provided throughout our work, helped launch my research career. Collectively, the five of you have pushed me to become an ambitious researcher with a high standard for clarity, impact, and rigor. Several additional faculty also provided me with support and insightful feedback over the course of my Ph.D. Dawn Song helped kick-start and refine my early work on IoT security with a number of valuable ideas and discussions about my early papers. Raluca Ada Popa gave me in- sights into new areas of crypto-systems research and warmly welcomed me into her group’s social and research events. Aside from his technical knowledge, Alex Snoeren is simply magical when it comes to travel logistics; thank you for answering my panicked airport phone call, after I missed an international flight by minutes, and helping me find a crazy multi-hop route that got me to my conference talk on time. I am also grateful to David Bamman and Joey Gonzalez for taking the time to serve on my dissertation committees, and for their helpful comments on my work. All of my research benefited from the ideas and work of many colleagues and co-authors: Aashish Sharma, Asaf Cidon, Ashkan Hosseini, Chris Grier, Damon McCoy, Derek Leung, Dev- datta Akhawe, Kurt Thomas, Lior Gavish, Lucas Ballard, Marco Schweighauser, Mayank Dhiman, Mobin Javed, Mohamed Ibrahim, Moheeb Rajab, Neil Shah, Niels Provos, and Pratyush Mishra. A special thank you to Neil, Ashkan, Derek, and Pratyush for giving me the opportunity to mentor and advise you during parts of your career. Collaborations with industry have led to some of my most exciting research papers. One piece of advice I would give to other researchers is to seek out and work with industry colleagues whom iv you respect and who appreciate the value of research. Thank you to Aashish Sharma, Asaf Cidon, Brad Miller, Devdatta Akhawe Lior Gavish, Lucas Ballard, Marco Schweighauser, Mayank Dhi- man, Moheeb Rajab, and Niels Provos for providing me with invaluable connections to exciting work in industry. Beyond your technical contributions to the work we did, your help in advocating internally for our research created opportunities that may never have existed otherwise. Thank you to the incredible administrators and staff at Berkeley: Angie Abbatecola, Jean Nguyen, Jon Kuroda, Lena Lau-Stewart, and Shirley Salanio. You guided me through a labyrinth of logistical hurdles and kept our infrastructure running; an extra big thank you to Angie and Lena for all of your help organizing a potpourri of seminars and social gatherings for the security group. Your generosity and time made my Ph.D. a fun and well-supported experience, and I know that is true for the broader security group at Berkeley as well. When I was deciding where to go for graduate school, people often told me that my advisor relationship would be most important part of my Ph.D.