Smiliotopoulos C, Kambourakis G, Kolias C. Detecting lateral movement: A systematic survey.
Heliyon 2024;
10:e26317. [PMID:
38404775 PMCID:
PMC10884853 DOI:
10.1016/j.heliyon.2024.e26317]
[Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/14/2023] [Revised: 01/25/2024] [Accepted: 02/09/2024] [Indexed: 02/27/2024] Open
Abstract
Within both the cyber kill chain and MITRE ATT&CK frameworks, Lateral Movement (LM) is defined as any activity that allows adversaries to progressively move deeper into a system in seek of high-value assets. Although this timely subject has been studied in the cybersecurity literature to a significant degree, so far, no work provides a comprehensive survey regarding the identification of LM from mainly an Intrusion Detection System (IDS) viewpoint. To cover this noticeable gap, this work provides a systematic, holistic overview of the topic, not neglecting new communication paradigms, such as the Internet of Things (IoT). The survey part, spanning a time window of eight years and 53 articles, is split into three focus areas, namely, Endpoint Detection and Response (EDR) schemes, machine learning oriented solutions, and graph-based strategies. On top of that, we bring to light interrelations, mapping the progress in this field over time, and offer key observations that may propel LM research forward.
Collapse