Report: Every company is compromised, but most infections not yet at critical stage

In a recent analysis of a quarter million endpoint devices in 40 enterprises, every single corporate network showed evidence of a targeted intrusion but most of the activity was not yet at the most-dangerous data exfiltration stage.

"No matter how small the network we looked at, no matter what industry, we always found some indicators of a targeted attack," said Wade Williamson, director of product marketing at Vectra Networks.

The company offers network monitoring technology that looks for traces of behaviors that indicate malicious activity. This is Vectra's second edition of its post-intrusion report, and includes nearly twice as many companies as the previous report. The companies analyzed range from mid-sized firms with less than 1,000 users up to large companies with 50,000 users or more, and include both existing customers of Vectra as well as prospects getting this kind of scan for the first time.

According to Williamson, what the report shows is that every single network has some threats that sneak by perimeter defenses.

Vectra classifies these threats into behavioral categories.

The first phase, which accounts for 32 percent of the detected threats, is the command and control phase, where the attackers are just starting to get their first foothold, and the infections communicate back to their controllers.

Not all of this activity is automated.

"A lot of times, you need to put real fingers on keyboards as you're in the process of digging deeper into the network," said Williamson. "Maybe I grabbed some user credentials, can I log into this system or that system. I'm directing the attack."

After this point, the attack can progress in a couple of different ways.

One is to set up a botnet. According to Vectra, 18 percent of the active identified threats are engaged in this type of behavior. The vast majority of these, 85 percent, were engaged in click fraud, 5 percent were used for brute-force attacks against other targets, and 4 percent for outbound denial-of-service attacks.

Another path for attacks is to progress further into the enterprise. For the attacks, the next stage is reconnaissance, which accounts for 13 percent of threat activity, followed by lateral movement, which accounts for 34 percent of activity.

The majority of lateral movement activity, 56 percent, consists of brute-force attacks. Next, at 22 percent, is automated replication, followed by Kerberos attacks, which use stolen credentials and account for 16 percent of lateral movement activity.

While the number of botnet-related threats increased just about proportionately with the increase in networks analyzed, the growth in reconnaissance behaviors was nearly four times higher, and the growth in lateral movement was almost seven times higher.

The last stage, data exfiltration, is the most dangerous to the enterprise, but accounts for just 3 percent of the activity detected.

That gives enterprises a window of opportunity to detect and clear out these attacks before they do damage -- but also explains why attackers can spend months inside a corporate network before they are caught.

Williamson warned, however, that just because 3 percent of attacks are in the exfiltration phase, doesn't necessarily mean that the average intrusion campaign spends very little time on exfiltration.

"It's not necessarily proportional to time," he said. "Once they get an exfiltration channel set it up, they can leave it open to steal data for a long while."

Vectra also analyzed ways the attackers stayed hidden.

The most common technique attackers used to hide their communications was fake browser activity, at 36 percent, and newly-generated domains, used 25 percent of the time. The anonymous TOR network was used 14 percent of the time, followed by external remote access at 13 percent.

Techniques used least frequently include pulling instructions, stealth HTTP posts, hidden HTTPS tunnels, malware updates, peer-to-peer networks, and hidden HTTP tunnels.

Hidden tunnels in particular are difficult to detect, since attackers can embed coded messages in text fields, headers, or other session parameters of otherwise normal traffic. To make detection even harder, the attackers can take advantage of encrypted traffic.

"We are able to identify hidden tunnels within this encrypted traffic without having to decrypt it," said Williamson.

Vectra does this by analyzing behavioral patterns.

It turns out, he added, that attackers prefer to hijack encrypted channels.

For example, encrypted HTTPS communications are preferred more than two to one over unencrypted HTTP for command-and-control communications.

The best news in this year's report is that the percent of threats that were involved in exfiltration -- 3 percent -- was about half of that seen last year.

But that could be because Vectra customers used the analysis of their networks to shut down the attacks before they hit that stage.

"They're using us to spot and identify the threats that are getting past the upstream security," said Williamson. "They will take this information and use it to respond to the threats."

Vectra did not break out the numbers for networks that they were analyzing for the first time.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksespionagesecuritydata protectionVectra Networks

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts