Identity protection provider Silverfort has announced the open source release of a lateral movement detection tool.
Called LATMA (Lateral Movement Analyzer), the tool was designed to collect authentication logs from domain and Active Directory (AD) environments and to deliver a report on the identified patterns.
The tool consists of two modules, namely a collector, which gathers logs from domain controllers and endpoints, and an analyzer, which outputs a report with diagrams, based on the collected logs.
LATMA, Silverfort says, has significantly improved its ability to detect lateral movement, providing a 95% accuracy in flagging suspicious behavior.
The tool’s collector module scans for NTLM authentication logs on domain controllers and for Kerberos authentication logs on endpoints, and harvests sign-in logs from Azure AD. For that, it requires specific port access and necessary permissions.
The analyzer module is fed the authentication data as a spreadsheet and starts searching for suspicious activity using a defined lateral movement algorithm.
LATMA, Silverfort explains, uses the collected information to build a graph representing the network, which depicts endpoints and authentication events. After analyzing the authentication patterns, it builds a sub-graph depicting the abnormal behavior, and generates alerts.
At first, LATMA monitors normal behavior of the users and machines, so it can differentiate between normal and suspicious behavior once the learning period has ended. No alerts are issued during this period.
The tool also generates indicators of compromise (IoCs) associated with the identified suspicious behavior, such as a user account that authenticates to multiple machines in a short period of time, or which authenticates from one machine to another, in sequence.
“LATMA generates an alert when at least two of these patterns happen in sequence. For example, if the attacker searches for a target machine to advance to and then successfully advances to it, the algorithm generates an alert,” Silverfort explains.