Blog - article

A behind-the-scenes look at how cybercriminals carry out attacks inside enterprise networks

A behind-the-scenes look at how cybercriminals carry out attacks inside enterprise networks

A behind-the-scenes look at how cybercriminals carry out attacks inside enterprise networks

Chris Morales
June 14, 2017

Vectra AI last week published the 2017 Post-Intrusion Report, which covers the period from January through March. While there are plenty of threat research reports out there, this one offers unique insights about real-world cyber attacks against actual enterprise networks.

Most industry security reports focus on statistics of known threats (exploits and malware families) or give a post-mortem look back at breaches that were successful. The first one looks at threats that network perimeter defenses were able to block and the second lists attacks that were missed entirely.

The Post-Intrusion Report offers first-hand analysis of active and persistent attacker behaviors inside the enterprise networks of Vectra customers. It takes a multidisciplinary approach that spans all strategic phases of the attack lifecycle.

By examining attacker behaviors inside enterprise networks, Vectra pinpointed where risk and exposure exist within an organization and identified strong indicators of potentially damaging breaches.

Vectra expanded the scope of analysis in its new report by tripling the number of participating customer organizations. Collectively, they consisted of more than 2 million hosts, twice the number of hosts in the previous report.

Perhaps what’s most significant is that Vectra AI reduced over 1.8 million different potential threat behaviors on those 2 million+ hosts down to just 62,000 hosts, with 3,720 hosts tagged as critical and 6,987 tagged as high, enabling security analysts to quickly mitigate the highest-risk threats.

There was a wide variance in the size of the networks analyzed, with the smallest consisting of a few hundred hosts to the largest with more than 300,000. To account for this variance, data was normalized to a network with 1,000 hosts, making it easier to compare the prevalence of threats in a network on a per-capita basis.

A host is defined as any device with an IP address, including IoT devices, smartphones, tablets, laptops, servers and workloads. For example, organizations had an average of 29 hosts with threat detections for every 1,000 hosts. This is a reduction from 841 security events detected per 1,000 hosts, representing a 29x reduction in the number of events requiring investigation and triage.

Vectra would like to thank the organizations who opted-in to share metadata that was analyzed for this report. Overall, the trends represent an increase in detections and attacker behaviors, which are cause for concern.

The report also identifies cyber-attack trends related to different industries. Healthcare and education had the most attack behaviors, pointing to openness and exposure. Entertainment and healthcare had the widest range of attacker behaviors. Finance and technology had below-median detection rates due to strong policies and maturity.

In addition, the report explains real-world scenarios that occurred in the time covered. This includes ransomware attacks, exploited web applications to exfiltrate gigabytes of data, and a noticeable upswing in IoT botnets.

One of the most underrated but common threats to enterprise organizations in the report is the unintentional insider threat. The accidental loss of key assets like intellectual property and personally identifiable information (PII) carries the same risk as a targeted attack.

Overall, the report points to a trend of increasing cyber-attack activity. As attackers automate and increase the efficiencies of their own technology, there is an urgent need to automate threat detection and incident response to stop attacks faster.

Cybersecurity is an ongoing exercise in operational efficiency. Organizations have limited resources to address unlimited risks, threats and attackers. Network security products must always be evaluated in terms of efficiency as well as their impact on the operational fitness of the organization.

At the same time, there is a global shortage of highly-skilled cybersecurity professionals to handle detection and response at any reasonable speed. Consequently, the use of artificial intelligence is essential to augment existing cybersecurity teams so they can detect and respond to threats faster and stay well ahead of attackers.

These are just a few of the noteworthy trends in the report, and we encourage you to download and read the full report.

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author


Most attacks against energy and utilities occur in the enterprise IT network

November 1, 2018
Read blog post
Security operations

2018 Black Hat Superpower Survey: It's about time and talent

August 22, 2018
Read blog post
Threat detection

Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

August 8, 2018
Read blog post