Malicious actors are increasingly using the anonymous Tor network and external remote access tools to instigate targeted attacks that are growing in sophistication and complexity, a Vectra Networks analysis of internal traffic has shown.
The firm's June Post-Intrusion Report analysed internal monitoring of host-to-host traffic as well as traffic to and from the Internet, allowing the observation of malicious attacks at every phase.
Fully 100 percent of the 40 analysed firms' networks – including 248,198 hosts – showed one or more of the five indicators of a targeted attack, which Vectra outlined as characterising the various types of attack traffic to traverse internal networks.
These included command-and-control (C&C) communications, which accounted for 32 percent of the 46,610 total threats detected; botnet monetisation (18 percent), internal reconnaissance (13 percent), lateral movement (34 percent), and data exfiltration (3 percent).
Use of command-and-control (C&C) behaviours was “flat” compared with the previous year, the analysis showed, even as use of lateral movement techniques – including the internal spread of malware and authentication-based attacks such as the use of stolen passwords – was up 580 percent over the previous year and internal reconnaissance was up 270 percent.
This reflected malware that is increasingly active on victim networks once it has breached perimeter defences. Growing use of Tor and HTTPS-secured remote access services had displaced C&C traffic.
The lateral movement and reconnaissance detections were up “across the board”, the report warned, with some detections showing industry-specific correlations.
Lateral-movement activities were noted in 27 percent of technology firms and 20 percent of government firms, for example, compared with just 5 percent of media and 3 percent of services organisations.
C&C activity was most common in technology firms (43 percent), whereas just 1 percent of financial and services organisations experienced C&C type activity.
Technology firms were also orders of magnitude more likely to experience reconnaissance type activity, with 57 percent of reported activities falling into that category compared with just 4 percent in education and energy, 3 percent in engineering, and 2 percent in services.
“The marked increase in lateral movement and reconnaissance behaviours is particularly significant because these attack phases are strategic to the success of a target attack,” the report explains.
“These attacks require attackers to persist within a network and spread through the environment. Consequently, detecting the presence of internal reconnaissance and lateral movement represents one of the most important opportunities to mitigate these threats before assets are compromised.”
Deeper analysis of C&C behaviours showed that fake browser activity – used by malicious actors to blend in with legitimate traffic – was found in 36 percent of incidents, while suspect domain activity (25 percent), TOR activity (14 percent), and external remote access (13 percent) all ranked highly.
The use of Tor “makes it virtually impossible to track where traffic is going to or coming from,” the report notes. “Malware authors and attacks have been taking note of this advantage and using Tor more and more as part of their attack infrastructure.”
The report also broke down types of traffic in the other five indicators, with abnormal ad activity comprising 85 percent of botnet monetisation behaviours, bruce-force attacks leading with 56 percent of lateral movement behaviours, and internal port scans found in 53 percent of reconnaissance behaviours. Data smuggler behaviour was the most common form of data exfiltration, observed in 36 percent of cases.
This article is brought to you by Enex TestLab, content directors for CSO Australia.