SentinelOne, a pioneer in delivering autonomous AI-powered security for the endpoint, datacenter and cloud, today announced their Lateral Movement Detection Engine to identify and stop malicious actors from accessing further parts of a network. One of the most common tactics used by an attacker once infiltrating a network is to start to move laterally, hopping from machine to machine in an attempt to traverse the network for specific assets, or just as means to infect and gain persistence over multiple hosts. Lateral movement attempts will also often involve credentials scraping techniques to attempt to steal admin passwords or pass the ticket techniques to hop from machine to machine.
Lateral movement can also be attributed to two main causes: a live attacker traversing a network, or malicious code with automatic spreading abilities such as a worm. The techniques to perform lateral movements can include utilizing exploits such as the EternalBlue SMB exploit, using remote desktop protocols, using harvested credentials with tools/interfaces like Powershell and WMI, and executing code on a remote machine.
Given that the vast majority of the above techniques are fileless methods most traditional security controls have a hard time identifying an attacker or a piece of code moving within a network. The stealthy nature of these attacks make them highly efficient and lucrative for the attacker on one hand and can allow mass infections on the other hand.
SentinelOne’s Lateral Movement Detection engine utilizes the platform’s low-level monitoring to gain visibility into all machine operations, including the above script language and protocols. It is able to detect and mitigate lateral movement attacks in real time by building execution context in real time and applying Behavioral AI to identify the anomalies in the usage of these various techniques to move around on the network, preventing the spread of malware or a “roaming” attacker.
The type of detection and visibility offered by the SentinelOne Lateral Movement Detection is far superior to every other EDR tool out there and is integrated holistically for automated operation into our 2.0 platform – no configuration needed.
Watch the video below to see the Lateral Movement Engine in action. An infected machine will attempt to infect additional machines on the same network by utilizing ps.exe in order to make that infection happen. The video will show how a machine with the SentinelOne agent installed would detect and block this type of lateral movement attack from an infected machine. It will then show some of the information that SentinelOne provides about the attack such as information about the identified threat and the infected machine, the actual engine that blocked the attack, and an attack storyline that shows the visual forensics of the attack.
Last month, the SentinelOne Platform was deployed alongside an existing EDR tool on a prospect network, and within minutes of deployment, SentinelOne identified an attacker moving laterally in the network. Read the full incidence report to learn more about a real live case – from deployment to full mitigation. DOWNLOAD NOW.
Additional Resources:
- Learn more about SentinelOne’s Endpoint Protection Platform online or read the datasheet.
- Follow SentinelOne on Twitter and LinkedIn and Facebook.
About SentinelOne
SentinelOne is shaping the future of endpoint security with an integrated platform that unifies the detection, prevention and remediation of threats initiated by nation states, terrorists, and organized crime. SentinelOne’s unique approach is based on deep inspection of all system processes combined with innovative machine learning to quickly isolate malicious behaviours, protecting devices against advanced, targeted threats in real time. SentinelOne was formed by an elite team of cyber security and defence experts from IBM, Intel, Check Point Software Technologies, Cylance, McAfee, and Palo Alto Networks.