Given the increasing number of ransomware attacks and security breaches targeting business networks, researchers have devised a dedicated security tool. Dubbed as “Hopper,” this security tool scans a network for lateral movement attacks.
About Hopper Security Tool
A team of academic researchers have developed the “Hopper” security tool for enterprises to prevent cyberattacks.
Specifically, the tool uses machine learning technology to detect lateral movements based on enterprise logs. For this, the tool graphs the logins on internal devices and detects suspicious sequences of logins to identify lateral movement.
Elaborating on this further, the researchers stated,
To understand the larger context of each login, Hopper employs an inference algorithm to identify the broader path(s) of movement that each login belongs to and the causal user responsible for performing a path’s logins. Hopper then leverages this path inference algorithm, in conjunction with a set of detection rules and a new anomaly scoring algorithm, to surface the login paths most likely to reflect lateral movement.
What makes this tool different from the typical present-day network scanners is that it has significantly fewer false positives.
While testing this tool during the study, Hopper gave less than 9 false alarms per day on average over a 15-month enterprise dataset, including more than 780 million internal login events. It also contained a red team lateral movement attack and 326 simulated attacks. Of these, Hopper successfully detected 309 attacks whilst generating 8 times fewer false alerts compared to the existing security tools.
While Hopper demonstrated decent performance, it does have some limitations that require vigilance from IT teams at enterprises.
At first, the tool may not be able to help if an attacker disguises or abuses a series of legitimate logins to access target systems. Secondly, any attacker vigilantly monitoring the frequently traveled login path to their target machine can bypass Hopper detection. Thirdly, any malicious intrusions via malware may also prove stealthy to Hopper, evading a check. Lastly, missing or incorrect login information may also lead to false negatives.