Post-intrusion report shows cyber attackers are getting quieter once inside the network

Published: Friday, 22 April 2016 08:45

Vectra Networks has published the results of its latest Post-Intrusion Report, a real-world study about threats that evade perimeter defences / defences and what attackers do once they get inside the network.

The report analysed data from 120 Vectra customer networks comprised of more than 1.3 million hosts over the first quarter of 2016, a three-fold increase from the previous report that analysed 40 customer organizations.

In the current report, all organizations showed signs of targeted attacks including internal reconnaissance, lateral movement or data exfiltration. Of the 120 participating organizations, 117 detected at least one of these activities during each month of the study.

Despite that nearly 98 percent of organizations detected at least one activity per month during the three-month period, researchers found that fewer detections were observed deeper in the kill chain. As an example, data exfiltration – which is by far the most dangerous threat activity – was the lowest of all categories at 3 percent.

Command-and-control techniques and hidden tunnels on the rise

Researchers found that not only are command-and-control (C&C) attacks increasing, accounting for 67 percent of detections, but the use of HTTP and HTTPS C&C for hidden tunnels also made a significant jump this year.

HTTP and HTTPS C&C is an emerging technique that allows sophisticated attackers to pass hidden messages and steal data within protocols that are generally not blocked by perimeter firewalls.

Together, HTTP and HTTPS tunnels accounted for 7.6 percent of all C&C detections, making them the third most-common C&C technique overall. This trend was consistent when normalising for the number of hosts monitored. Hidden C&C tunnels were observed 4.9 times per 1,000 hosts, which is up from 2.1 times per 1,000 hosts seen in the previous report.

Attackers opt for more discreet methods to spy inside the network

Lateral movement, which enables attackers to spread from east to west to gather information, dropped significantly from 34 percent of total detections in 2015 to roughly 8.6 percent of total detections this year.

However, once inside the network, attackers appear to be getting quieter. Of these lateral movement detections, brute force attacks – the most popular technique last year – are down significantly, while Kerberos client and automated replication activities increased over last year, tying at 36.3 percent of lateral movement detections.

A copy of the Post-Intrusion Report is available for download at http://info.vectranetworks.com/post-intrusion-report-2016