Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

Chris Morales
August 8, 2018

Recently, Vectra published the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which covers the period from January through June 2018. While there are plenty of threat-research reports out there, this one offers unique insights about real-world cyberattacker behaviors found in cloud, data center and enterprise networks.

Most industry security reports focus on statistics of known threats, such as exploits and malware families, or provide a post-mortem of successful breaches. The first type of report addresses threats that network perimeter defenses were able to block, and the second lists attacks that were missed entirely.

This report reveals cyberattack detections and trends from a sample of over 250 opt-in enterprise customers using the AI-powered Vectra Cognito platform across nine different industries, including manufacturing.

The Cognito platform monitored and collected enriched metadata from network traffic that supports more than 4 million devices and workloads deployed in the customer’s cloud, data center and enterprise environments. By analyzing this metadata, the Vectra Cognito platform detected hidden attacker behaviors and identified business risks that enabled these organizations to avoid catastrophic data breaches.

The Vectra Attacker Behavior Industry Report takes a multidisciplinary approach that spans all strategic phases of the attack lifecycle. It presents data by specific industries that highlight relevant differences between them. Key findings from the report include:

  • Across all industries, there was an average of 2,354 attacker behavior detections per 10,000 devices. This is a sharp increase in attacker behaviors from those reported in the RSA Edition of the Attacker Behavior Industry Report.
  • Overall, education had the most attacker behaviors at 3,958 detections per 10,000.
  • Energy (3,740 detections per 10,000 devices) and manufacturing (3,306 detections per 10,000 devices) displayed a large amount of detections primarily due to high levels of lateral movement activity in both industries. Energy and manufacturing are also large adopters of industrial IoT and have integrated IT/OT networks.
  • Command-and-control (C&C) activity in higher education exceeds every other industry at 2,143 detections per 10,000 devices, and it continues to persist at three-times above the industry average of 725 per 10,000 devices. These early attack indicators usually precede other stages and are often associated with opportunistic botnet behaviors in higher education.
  • The retail and healthcare industries have the lowest detection rates, with 1,190 and 1,361 detections per 10,000 devices, respectively.
  • Botnet activity occurs most often in higher education, with 183 detections per 10,000 devices, which is three-times the industry average of 53 detections per 10,000 devices. These opportunistic attack behaviors leverage devices for external gain, such as bitcoin mining or outbound spam.
  • Vectra customers achieved an average workload reduction of 36X for security analysts in detection, triage, correlation and prioritization of security incidents, enabling them to focus on mitigating compromised devices that pose the highest risk.
  • When normalizing detections per 10,000 devices compared to the previous year, there is a sharp increase in every industry for C&C, reconnaissance, lateral movement and data exfiltration detections.

Cybersecurity is an ongoing exercise in operational efficiency. Organizations have limited resources to address unlimited risks, threats and attackers. Network security products must always be evaluated in terms of efficiency as well as their impact on the operational fitness of the organization.

At the same time, there is a global shortage of highly-skilled cybersecurity professionals to handle detection and response at any reasonable speed. Consequently, the use of AI is essential to augment existing cybersecurity teams so that they can detect and respond to threats faster and stay well ahead of attackers.

These are just a few of the noteworthy trends Vectra found, and we encourage you to download and read the full report.

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author



December 10, 2020
Read blog post
Threat detection

攻撃者がビジネスメールを使ってOffice 365を侵害する方法

December 3, 2020
Read blog post

攻撃者が使用するOffice 365ツールとオープンサービス

October 19, 2020
Read blog post