Malware getting smarter, stealthier once it breaches networks, Vectra analysis finds

Malicious actors are increasingly using the anonymous Tor network and external remote access tools to instigate targeted attacks that are growing in sophistication and complexity, a Vectra Networks analysis of internal traffic has shown.

The firm's June Post-Intrusion Report analysed internal monitoring of host-to-host traffic as well as traffic to and from the Internet, allowing the observation of malicious attacks at every phase.

Fully 100 percent of the 40 analysed firms' networks – including 248,198 hosts – showed one or more of the five indicators of a targeted attack, which Vectra outlined as characterising the various types of attack traffic to traverse internal networks.

These included command-and-control (C&C) communications, which accounted for 32 percent of the 46,610 total threats detected; botnet monetisation (18 percent), internal reconnaissance (13 percent), lateral movement (34 percent), and data exfiltration (3 percent).

Use of command-and-control (C&C) behaviours was “flat” compared with the previous year, the analysis showed, even as use of lateral movement techniques – including the internal spread of malware and authentication-based attacks such as the use of stolen passwords – was up 580 percent over the previous year and internal reconnaissance was up 270 percent.

This reflected malware that is increasingly active on victim networks once it has breached perimeter defences. Growing use of Tor and HTTPS-secured remote access services had displaced C&C traffic.

The lateral movement and reconnaissance detections were up “across the board”, the report warned, with some detections showing industry-specific correlations.

Lateral-movement activities were noted in 27 percent of technology firms and 20 percent of government firms, for example, compared with just 5 percent of media and 3 percent of services organisations.

C&C activity was most common in technology firms (43 percent), whereas just 1 percent of financial and services organisations experienced C&C type activity.

Technology firms were also orders of magnitude more likely to experience reconnaissance type activity, with 57 percent of reported activities falling into that category compared with just 4 percent in education and energy, 3 percent in engineering, and 2 percent in services.

“The marked increase in lateral movement and reconnaissance behaviours is particularly significant because these attack phases are strategic to the success of a target attack,” the report explains.

“These attacks require attackers to persist within a network and spread through the environment. Consequently, detecting the presence of internal reconnaissance and lateral movement represents one of the most important opportunities to mitigate these threats before assets are compromised.”

Deeper analysis of C&C behaviours showed that fake browser activity – used by malicious actors to blend in with legitimate traffic – was found in 36 percent of incidents, while suspect domain activity (25 percent), TOR activity (14 percent), and external remote access (13 percent) all ranked highly.

Read more: A World without Identity and Access Governance

The use of Tor “makes it virtually impossible to track where traffic is going to or coming from,” the report notes. “Malware authors and attacks have been taking note of this advantage and using Tor more and more as part of their attack infrastructure.”

The report also broke down types of traffic in the other five indicators, with abnormal ad activity comprising 85 percent of botnet monetisation behaviours, bruce-force attacks leading with 56 percent of lateral movement behaviours, and internal port scans found in 53 percent of reconnaissance behaviours. Data smuggler behaviour was the most common form of data exfiltration, observed in 36 percent of cases.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags malicious attacksHTTPSdata breachC&C behavioursmalwareCSO AustraliaVectra NetworksVectra analysis

More about CSOEnex TestLabIntrusionTechnologyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place