What attackers do after bypassing perimeter defenses

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Vectra Networks collected data over five months from more than 100,000 hosts within sample organizations to gain a deeper understanding of breaches that inevitably bypass perimeter defenses, and what attackers do once inside networks.

They found that more than 11,000 hosts experienced one or multiple cyber-attacks that made it through perimeter defenses. Of these attacked hosts, 10 percent had detections for two or more attack phases – such as botnet monetization, command and control, reconnaissance, lateral movement and exfiltration.

Overall, 15 percent of hosts in the participating organizations experienced a targeted attack. Once the attackers established a stronghold, they performed reconnaissance via internal port scans, lateral movement using brute force attacks, remote control of the attack with command and control communication, and exfiltration through hidden tunnels.

Oliver Tavakoli, CTO of Vectra Networks, said: “Cyber attacks are increasingly sophisticated, highly organized, and successful despite $60 billion invested in cyber security annually worldwide. All of the attack phases detected in this report are ones that evaded organizations’ perimeter and endpoint security systems.”

Additional key findings of the study include:

  • Eighty-five percent of attacks experienced by the sample organizations were opportunistic attacks. Two percent of the hosts experiencing an opportunistic attack were being used to spread botnet malware to other computers within the organization.
  • Fifteen percent of attacks experienced by the sample organizations were targeted attacks. Two percent of these hosts under targeted attack were breached to the exfiltration stage, where the attacker was preparing to steal data.
  • Seven percent of hosts had both botnet and exfiltration detections, which indicates possible theft of credentials for use in a subsequent targeted attack against the sample organization or other organizations.