Use of covert attack communications, other sophisticated techniques are on the rise

Vectra^® Networks, the leader in automated threat management, today announced the results of its latest Post-Intrusion Report, a real-world study about threats that evade perimeter defenses and what attackers do once they get inside your network.

The report analysed data from 120 Vectra customer networks comprised of more than 1.3 million hosts over the first quarter of 2016, a three-fold increase from the previous report that analysed 40 customer organisations.

In the current report, all organisations showed signs of targeted attacks including internal reconnaissance, lateral movement or data exfiltration. Of the 120 participating organisations, 117 detected at least one of these behaviors during each month of the study.

Despite that nearly 98 per cent of organisations detected at least one behavior per month during the three-month period, researchers found that fewer detections were observed deeper in the kill chain. As an example, data exfiltration – which is by far the most dangerous behavior – was the lowest of all categories at 3 per cent.

“This data shows that security teams that are laser focused on the active phase of a network attack are successfully decreasing the risk of data theft,” said Günter Ollmann, CSO at Vectra Networks. “They are responding faster and shutting down attacks before critical data is extracted from their networks and any real damage is done.”

C&C techniques and hidden tunnels on the rise

Researchers found that not only are command-and-control (C&C) attacks increasing, accounting for 67 per cent of detections, but the use of HTTP and HTTPS C&C for hidden tunnels also made a significant jump this year.

HTTP and HTTPS C&C is an emerging technique that allows sophisticated attackers to pass hidden messages and steal data within protocols that are generally not blocked by perimeter firewalls.

Together, HTTP and HTTPS tunnels accounted for 7.6 per cent of all C&C detections, making them the third most-common C&C technique overall. This trend was consistent when normalising for the number of hosts monitored. Hidden C&C tunnels were observed 4.9 times per 1,000 hosts, which is up from 2.1 times per 1,000 hosts seen in the previous report.

Attackers opt for more discreet methods to spy inside the network

Lateral movement, which enables attackers to spread from east to west to gather information, dropped significantly from 34 per cent of total detections in 2015 to roughly 8.6 per cent of total detections this year.

However, once inside the network, attackers appear to be getting quieter. Of these lateral movement detections, brute force attacks – the most popular technique last year – are down significantly, while Kerberos client and automated replication behaviors increased over last year, tying at 36.3 per cent of lateral movement detections.

“Because brute force techniques are so noisy, more experienced and skilled attackers tend to try other access techniques first – preferably automatable techniques that are difficult to distinguish from normal network traffic and where failures are unlikely to be alerted upon,” said Ollmann.

“As an example, and demonstrated by our findings, public disclosures of Kerberos vulnerabilities and new attack tools that can automate exploitation are now part of the hackers’ arsenal,” he continued. “Once suitable Kerberos keys are created and administrative accounts are broken, the process of compromising other hosts in the victim’s network is simple and mechanical.”

Botnet monetisation trends

In the realm of botnet behaviors, click fraud remains the leading technique at 58.1 per cent. While botnet infections may pose a lower risk to organisations than a targeted attack, they are by no means risk free.

This year saw a proportional increase in denial-of-service, outbound brute force and port scanning. These botnet behaviors are important to enterprises as they can have significant impacts on the reputation of the network. Taken together, these detections represent 27 per cent of botnet events, more than double the 12 per cent that was previously observed.

A copy of the Post-Intrusion Report is available for download at http://info.vectranetworks.com/post-intrusion-report-2016.