8808 Pfaffikon, ch
+1 (408) 960-9297
New Post-Intrusion Report Shows Surge in Indicators of Cyber Attackers Spreading Throughout Networks
Study is Industry's First to Apply Data Science to Analyze Encrypted Hidden Tunnels and Finds Attackers Prefer HTTPS over HTTP
Report data was collected over a six-months from 42 customer and prospect networks with over 250,000 hosts and compares new results to last year's report. The new report includes detections of all phases of a cyber attack and exposes trends in malware behavior, attacker communication techniques, internal reconnaissance, lateral movement, and data exfiltration.
According to the report, there was non-linear growth in lateral movement (580 percent) and reconnaissance (270 percent) detections that outpaced the 97 percent increase in overall detections compared to last year. These behaviors are significant as they show signs of targeted attacks that have penetrated the security perimeter.
While command-and-control communication showed the least amount of growth (6 percent), high-risk Tor and external remote access detections grew significantly. In the new report, Tor detections jumped by more than 1000 percent compared to last year and accounted for 14 percent of all command-and-control traffic, while external remote access shot up by 183 percent over last year.
The report is the first to study hidden tunnels without decrypting SSL traffic by applying data science to network traffic. A comparison of hidden tunnels in encrypted traffic vs. clear traffic shows that HTTPS is favored over HTTP for hidden tunnels, indicating an attacker's preference for encryption to hide their communications.
"The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise," said Oliver Tavakoli, Vectra Networks CTO. "The attackers' batting average hasn't changed much, but more at-bats invariably has translated into more hits."
A copy of the Post-Intrusion Report is available for download at http://info.vectranetworks.com/post-intrusion-report-2015.
Other key findings of the study include:
- Botnet monetization behavior grew linearly compared to last year's report. Ad click-fraud was the most commonly observed botnet monetization behavior, representing 85 percent of all botnet detections.
- Within the category of lateral movement detections, brute-force attacks accounted for 56 percent, automated replication 22 percent and Kerberos-based attacks 16 percent. Although only the third most frequent detection, Kerberos-based attacks grew non-linearly by 400 percent compared to last year.
- Of Internal reconnaissance detections, port scans represented 53 percent while darknet scans represented 47 percent, which is fairly consistent with behavior detected last year.
The data in the Post-Intrusion Report is based on metadata from Vectra customers and prospects who opted to share detection metrics from their production networks. Vectra identifies active threats by monitoring network traffic on the wire in these environments. Internal host-to-host traffic as well as traffic to and from the Internet are monitored to ensure visibility and context of all phases of an attack.
The latest report offers a first-hand analysis of active "in situ" network threats that bypass next-generation firewalls, intrusion prevention systems, malware sandboxes, host-based security solutions, and other enterprise defenses. The study includes data from 40 organizations in education, energy, engineering, financial services, government, healthcare, legal, media, retail, services, and technology.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an email@example.com.