Cyberattack Detections from More Than 250 Vectra Customers

August 8, 2018
Vectra AI Security Research team
Cyberattack Detections from More Than 250 Vectra Customers

Recently, Vectra published the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which covers the period from January through June 2018. While there are plenty of threat-research reports out there, this one offers unique insights about real-world cyberattacker behaviors found in cloud, data center and enterprise networks.

Most industry security reports focus on statistics of known threats, such as exploits and malware families, or provide a post-mortem of successful breaches. The first type of report addresses threats that network perimeter defenses were able to block, and the second lists attacks that were missed entirely.

This report reveals cyberattack detections and trends from a sample of over 250 opt-in enterprise customers using the AI-powered Vectra Cognito platform across nine different industries, including manufacturing.

The Cognito platform monitored and collected enriched metadata from network traffic that supports more than 4 million devices and workloads deployed in the customer’s cloud, data center and enterprise environments. By analyzing this metadata, the Vectra Cognito platform detected hidden attacker behaviors and identified business risks that enabled these organizations to avoid catastrophic data breaches.

The Vectra Attacker Behavior Industry Report takes a multidisciplinary approach that spans all strategic phases of the attack lifecycle. It presents data by specific industries that highlight relevant differences between them. Key findings from the report include:

  • Across all industries, there was an average of 2,354 attacker behavior detections per 10,000 devices. This is a sharp increase in attacker behaviors from those reported in the RSA Edition of the Attacker Behavior Industry Report.
  • Overall, education had the most attacker behaviors at 3,958 detections per 10,000.
  • Energy (3,740 detections per 10,000 devices) and manufacturing (3,306 detections per 10,000 devices) displayed a large amount of detections primarily due to high levels of lateral movement activity in both industries. Energy and manufacturing are also large adopters of industrial IoT and have integrated IT/OT networks.
  • Command-and-control (C&C) activity in higher education exceeds every other industry at 2,143 detections per 10,000 devices, and it continues to persist at three-times above the industry average of 725 per 10,000 devices. These early attack indicators usually precede other stages and are often associated with opportunistic botnet behaviors in higher education.
  • The retail and healthcare industries have the lowest detection rates, with 1,190 and 1,361 detections per 10,000 devices, respectively.
  • Botnet activity occurs most often in higher education, with 183 detections per 10,000 devices, which is three-times the industry average of 53 detections per 10,000 devices. These opportunistic attack behaviors leverage devices for external gain, such as bitcoin mining or outbound spam.
  • Vectra customers achieved an average workload reduction of 36X for security analysts in detection, triage, correlation and prioritization of security incidents, enabling them to focus on mitigating compromised devices that pose the highest risk.
  • When normalizing detections per 10,000 devices compared to the previous year, there is a sharp increase in every industry for C&C, reconnaissance, lateral movement and data exfiltration detections.

Cybersecurity is an ongoing exercise in operational efficiency. Organizations have limited resources to address unlimited risks, threats and attackers. Network security products must always be evaluated in terms of efficiency as well as their impact on the operational fitness of the organization.

At the same time, there is a global shortage of highly-skilled cybersecurity professionals to handle detection and response at any reasonable speed. Consequently, the use of AI is essential to augment existing cybersecurity teams so that they can detect and respond to threats faster and stay well ahead of attackers.

These are just a few of the noteworthy trends Vectra found, and we encourage you to download and read the full report.