Vectra Post-Intrusion Report Shows Cyber Attackers Are Getting Quieter Inside Networks

April 20, 2016

Vectra® Networks, the leader in automated threat management, today announced the results of its latest Post-Intrusion Report, a real-world study about threats that evade perimeter defenses and what attackers do once they get inside your network.

The report analyzed data from 120 Vectra customer networks comprised of more than 1.3 million hosts over the first quarter of 2016, a three-fold increase from the previous report that analyzed 40 customer organizations.

In the current report, all organizations showed signs of targeted attacks including internal reconnaissance, lateral movement or data exfiltration. Of the 120 participating organizations, 117 detected at least one of these behaviors during each month of the study.

Despite that nearly 98 percent of organizations detected at least one behavior per month during the three-month period, researchers found that fewer detections were observed deeper in the kill chain. As an example, data exfiltration – which is by far the most dangerous behavior – was the lowest of all categories at 3 percent.

“This data shows that security teams that are laser focused on the active phase of a network attack are successfully decreasing the risk of data theft,” said Günter Ollmann, CSO at Vectra Networks. “They are responding faster and shutting down attacks before critical data is extracted from their networks and any real damage is done.”

C&C techniques and hidden tunnels on the rise

Researchers found that not only are command-and-control (C&C) attacks increasing, accounting for 67 percent of detections, but the use of HTTP and HTTPS C&C for hidden tunnels also made a significant jump this year.

HTTP and HTTPS C&C is an emerging technique that allows sophisticated attackers to pass hidden messages and steal data within protocols that are generally not blocked by perimeter firewalls.

Together, HTTP and HTTPS tunnels accounted for 7.6 percent of all C&C detections, making them the third most-common C&C technique overall. This trend was consistent when normalizing for the number of hosts monitored. Hidden C&C tunnels were observed 4.9 times per 1,000 hosts, which is up from 2.1 times per 1,000 hosts seen in the previous report.

Attackers opt for more discreet methods to spy inside the network

Lateral movement, which enables attackers to spread from east to west to gather information, dropped significantly from 34 percent of total detections in 2015 to roughly 8.6 percent of total detections this year.

However, once inside the network, attackers appear to be getting quieter. Of these lateral movement detections, brute force attacks – the most popular technique last year – are down significantly, while Kerberos client and automated replication behaviors increased over last year, tying at 36.3 percent of lateral movement detections.

“Because brute force techniques are so noisy, more experienced and skilled attackers tend to try other access techniques first – preferably automatable techniques that are difficult to distinguish from normal network traffic and where failures are unlikely to be alerted upon,” said Ollmann.

“As an example, and demonstrated by our findings, public disclosures of Kerberos vulnerabilities and new attack tools that can automate exploitation are now part of the hackers’ arsenal,” he continued. “Once suitable Kerberos keys are created and administrative accounts are broken, the process of compromising other hosts in the victim’s network is simple and mechanical.”

Botnet monetization trends

In the realm of botnet behaviors, click fraud remains the leading technique at 58.1 percent. While botnet infections may pose a lower risk to organizations than a targeted attack, they are by no means risk free.

This year saw a proportional increase in denial-of-service, outbound brute force and port scanning. These botnet behaviors are important to enterprises as they can have significant impacts on the reputation of the network. Taken together, these detections represent 27 percent of botnet events, more than double the 12 percent that was previously observed.

A copy of the Post-Intrusion Report is available for download at

About Vectra Networks

Vectra® Networks is the leader in automated threat management solutions for real-time detection of in-progress cyber attacks. The company’s solution automatically correlates threats against hosts that are under attack and provides unique context about what attackers are doing so organizations can quickly prevent or mitigate loss. Vectra prioritizes attacks that pose the greatest business risk, enabling organizations to make rapid decisions on where to focus time and resources. In 2015, Gartner named Vectra a Cool Vendor in Security Intelligence for addressing the challenges of post-breach threat detection. The American Business Awards also selected Vectra as the Gold Award winner for Tech Startup of 2015. Vectra investors include Khosla Ventures, Accel Partners, IA Ventures, AME Cloud Ventures and DAG Ventures. The company’s headquarters are in San Jose, Calif., and it has European regional headquarters in Zurich, Switzerland. More information can be found at


Vectra and the Vectra Networks logo are registered trademarks and Security that thinks, the Vectra Threat Labs, and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.

Most recent news releases

Vectra AI and SANS Institute to Host “Think Like a Hybrid Attacker” Solutions Forum 2023

September 19, 2023
Read news release

Vectra AI Platform Now Available for Purchase on the CrowdStrike Marketplace

September 18, 2023
Read news release

Curtiss-Wright Collaborates with Vectra AI to Bring AI/ML Threat Detection to NatSec Cyber Tactical Edge Communications

September 12, 2023
Read news release

Learn more about the Vectra platform

Understand more about the Vectra platform and its approach to threat detection and response.