Lateral movement, in which a cyber attacker progresses through an enterprise network in order to compromise its most valuable assets, is a key stage of any intrusion nowadays. Therefore, being able to mitigate lateral movement, be it by slowing down attacker progress or by limiting its reach, is a top priority for enterprise cyber-defence. Due to the inherent complexity of enterprise networks, it is also a paramount challenge. This challenge becomes even more prominent if we take into account the high impact of deploying security countermeasures on the performance or functionality of the network. In this paper we model lateral movement as an infection process and propose a methodology to prioritize which network elements to protect for a more effective and efficient mitigation. To do this we rely on a graph model and graph theoretic metrics taken from epidemiology research, and apply them to the trust relationships in Microsoft Active Directory infrastructures. We propose selective immunization techniques which act as “surgical” countermeasures, by impacting a very reduced ratio of the nodes in the network. Experiments show that the selective immunization strategies we propose effectively mitigate infection spread in these settings while keeping the amount of immunized nodes at a minimum.

横向移动是当今任何入侵的关键阶段，其中网络攻击者通过企业网络进行攻击以损害其最有价值的资产。因此，能够减轻横向移动，无论是通过减慢攻击者的进度还是限制其范围，是企业网络防御的首要任务。由于企业网络固有的复杂性，这也是一个至关重要的挑战。如果我们考虑到部署安全对策对网络性能或功能的巨大影响，这一挑战就变得更加突出。在本文中，我们将横向移动建模为感染过程，并提出了一种方法来确定要保护的网络元素的优先级，以实现更有效和高效的缓解。为此，我们依赖于流行病学研究中的图模型和图论指标，并将它们应用于 Microsoft Active Directory 基础设施中的信任关系。我们提出了选择性免疫技术，通过影响网络中节点比例的大幅降低来充当“外科手术”对策。实验表明，我们提出的选择性免疫策略有效地减轻了这些环境中的感染传播，同时将免疫节点的数量保持在最低限度。