DPI for Lateral Movement Detection

No organization is immune from malware attacks. Malware tries to penetrate networks through a variety of ways: email phishing, a compromised external drive, an infected personal device, an IT misconfiguration or other unknown exploit. However, once it has gained entry to the network, the attack typically evolves through the different stages of the cyber kill chain. It carries out early reconnaissance, creates a state of persistence, seeks access to the outside world through a Command & Control server, and then initiates a series of lateral movements (access to resources, propagation, privileges, etc.), until it reaches its final goal of data exfiltration, data destruction, or demand for ransom.

The Cyber Kill Chain


Lateral Movement Generates Detectable Network Traffic

During the lateral movements phase, an attack generates specific types of network traffic as it gathers valuable information for exfiltration. It is here that it becomes most vulnerable to detection. However, distinguishing potential threats from legitimate traffic requires the management and analysis of huge amounts of data often complicated by the high number of false positives.


DPI is Highly Effective in Accurately Detecting Lateral Movement in Real-Time

Qosmos ixEngine, based on advanced DPI technology, analyzes traffic flows in real-time, using an extensive library of over 3000 protocols and extracting up to 4500 application metadata in order to distinguish abnormal network-based lateral movements, such as the following, from normal activity:

  • File shares
  • Remote desktop, VNC, TeamViewer, Ammyy Admin
  • Port scan
  • Windows Management Instrumentation (WMI)
  • Active directory & admin shares
  • ARP spoofing

As a result, network-based lateral movements are rapidly detected allowing rapid containment of attacks and remediation. The protocol information and metadata can also be used to improve the results of user behavior analysis and machine learning, and to enable mitigation at each stage of the kill chain, improving the effectiveness of security solutions.


We use cookies to improve and personalize your browsing experience. This site may also include cookies from third parties. By using this site, you consent to the use of cookies. Read more

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.