New Post-Intrusion Report Shows Surge in Indicators of Cyber Attackers Spreading throughout Networks
Vectra Networks, the leader in real-time detection of cyber attacks in-progress, today announced the results of the second edition of its Post-Intrusion Report, a real-world study about threats that evade perimeter defenses and what attackers do once they get inside your network.
Report data was collected over six-months from 40 customer and prospect networks with more than 250,000 hosts, and is compared to results in last year’s report. The new report includes detections of all phases of a cyber attack and exposes trends in malware behavior, attacker communication techniques, internal reconnaissance, lateral movement, and data exfiltration.
According to the report, there was non-linear growth in lateral movement (580 percent) and reconnaissance (270 percent) detections that outpaced the 97 percent increase in overall detections compared to last year. These behaviors are significant as they show signs of targeted attacks that have penetrated the security perimeter.
While command-and-control communication showed the least amount of growth (6 percent), high-risk Tor and external remote access detections grew significantly. In the new report, Tor detections jumped by more than 1000 percent compared to last year and accounted for 14 percent of all command-and-control traffic, while external remote access shot up by 183 percent over last year.
The report is the first to study hidden tunnels without decrypting SSL traffic by applying data science to network traffic. A comparison of hidden tunnels in encrypted traffic vs. clear traffic shows that HTTPS is favored over HTTP for hidden tunnels, indicating an attacker’s preference for encryption to hide their communications.
“The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise,” said Oliver Tavakoli, Vectra Networks CTO. “The attackers’ batting average hasn’t changed much, but more at-bats invariably has translated into more hits.”
A copy of the Post-Intrusion Report is available for download at info.vectranetworks.com/post-intrusion-report-2015.
Other key findings of the study include:
- Botnet monetization behavior grew linearly compared to last year’s report. Ad click-fraud was the most commonly observed botnet monetization behavior, representing 85 percent of all botnet detections.
- Within the category of lateral movement detections, brute-force attacks accounted for 56 percent, automated replication accounted for 22 percent, and Kerberos-based attacks accounted for 16 percent. Although only the third most frequent detection, Kerberos-based attacks grew non-linearly by 400 percent compared to last year.
- Of internal reconnaissance detections, port scans represented 53 percent while darknet scans represented 47 percent, which is fairly consistent with behavior detected last year.
The data in the Post-Intrusion Report is based on metadata from Vectra customers and prospects who opted to share detection metrics from their production networks. Vectra identifies active threats by monitoring network traffic on the wire in these environments. Internal host-to-host traffic and traffic to and from the Internet are monitored to ensure visibility and context of all phases of an attack.
The latest report offers a first-hand analysis of active “in situ” network threats that bypass next-generation firewalls, intrusion prevention systems, malware sandboxes, host-based security solutions, and other enterprise defenses. The study includes data from 40 organizations in education, energy, engineering, financial services, government, healthcare, legal, media, retail, services, and technology.
About Vectra Networks
Vectra Networks™ is the leader in real-time detection of in-progress cyber attacks. The company’s automated threat-management solution continuously monitors internal network traffic to pinpoint cyber attacks as they happen. It then automatically correlates threats against hosts that are under attack and provides unique context about what attackers are doing so organizations can quickly prevent or mitigate loss. Vectra prioritizes attacks that pose the greatest business risk, enabling organizations to make rapid decisions on where to focus time and resources. In 2015, Gartner named Vectra a Cool Vendor in Security Intelligence for addressing the challenges of post-breach threat detection. Vectra’s investors include Khosla Ventures, Accel Partners, IA Ventures and AME Cloud Ventures. The company’s headquarters are in San Jose, Calif., and it has European operations in Zurich. More information can be found at www.vectranetworks.com.
Vectra Networks and Threat Certainty Index are registered trademarks of Vectra Networks in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.