Hopper: A Tool Developed at Dropbox to Detect Lateral Movement Attacks

 

Hopper, a tool developed by Dropbox, UC Berkeley, and other organizations, adds a different method to spotting hostile activities in corporate networks. Hopper is a tool that examines an organization's login records to look for indicators of lateral movement attacks. The tool has two main components: a causality engine that tracks login paths and a score algorithm that determines which login paths contain lateral movement attack features. 

Dropbox, Inc., is an American corporation based in San Francisco, California. It offers cloud storage, file synchronization, personal cloud, and client software service. Dropbox organizes files into a single location on the user's computer by generating a dedicated folder. The contents of these folders are synchronized with Dropbox's servers as well as other computers and devices where the user has installed Dropbox, ensuring that all devices have the same files. 

Many data breaches and security issues in businesses begin with the compromising of a basic device or low-privileged user account. As attackers succeed, they acquire access to increasingly important systems and resources by moving beyond their initial point of entry to other workstations and administrator-level user accounts. This is referred to as "lateral movement," and it is a warning indication of an oncoming security disaster. 

It's difficult to tell the difference between typical user activity and malevolent lateral movement. Detecting the change in the past required establishing precise network activity rules or using anomaly detection methods. “Unfortunately, the scale of modern enterprises inherently produces large numbers of anomalous-but-benign logins, causing traditional anomaly detection to generate too many false alarms,” the researchers explain.

Hopper was created with the understanding that lateral movement attacks have two distinct characteristics – attackers want to gain access to a server that their original victim doesn't have, and they'll need to attack privileged accounts like sysadmins to accomplish so. Hooper can identify which behaviors require additional inquiry by filtering and reviewing login pathways based on these two vectors. 

Hopper was evaluated using 15 months of data from Dropbox's enterprise network, which includes more than 780 million login events and 326 simulated red team attacks. Other lateral movement detection techniques produced eight times more false alarms than the tool, which was able to detect 94.5 % of attacks.


Comments