For its latest report, Vectra analyzed data from 120 customer networks comprised of more than 1.3 million hosts over the first quarter of 2016. All organizations showed signs of targeted attacks including internal reconnaissance, lateral movement or data exfiltration. Of the 120 participating organizations, 117 detected at least one of these behaviors during each month of the study.
Despite that nearly 98 percent of organizations detected at least one behavior per month during the three-month period, researchers found that fewer detections were observed deeper in the kill chain. As an example, data exfiltration – which is by far the most dangerous behavior – was the lowest of all categories at 3 percent.
“This data shows that security teams that are laser focused on the active phase of a network attack are successfully decreasing the risk of data theft,” said Günter Ollmann, CSO at Vectra Networks. “They are responding faster and shutting down attacks before critical data is extracted from their networks and any real damage is done.”
C&C techniques and hidden tunnels on the rise
Researchers found that not only are command-and-control (C&C) attacks increasing, accounting for 67 percent of detections, but the use of HTTP and HTTPS C&C for hidden tunnels also made a significant jump this year.
HTTP and HTTPS C&C is an emerging technique that allows sophisticated attackers to pass hidden messages and steal data within protocols that are generally not blocked by perimeter firewalls.
Together, HTTP and HTTPS tunnels accounted for 7.6 percent of all C&C detections, making them the third most-common C&C technique overall. This trend was consistent when normalizing for the number of hosts monitored. Hidden C&C tunnels were observed 4.9 times per 1,000 hosts, which is up from 2.1 times per 1,000 hosts seen in the previous report.
Spy inside the network
Lateral movement, which enables attackers to spread from east to west to gather information, dropped significantly from 34 percent of total detections in 2015 to roughly 8.6 percent of total detections this year.
However, once inside the network, attackers appear to be getting quieter. Of these lateral movement detections, brute force attacks – the most popular technique last year – are down significantly, while Kerberos client and automated replication behaviors increased over last year, tying at 36.3 percent of lateral movement detections.
“Because brute force techniques are so noisy, more experienced and skilled attackers tend to try other access techniques first – preferably automatable techniques that are difficult to distinguish from normal network traffic and where failures are unlikely to be alerted upon,” said Ollmann.
“As an example, and demonstrated by our findings, public disclosures of Kerberos vulnerabilities and new attack tools that can automate exploitation are now part of the hackers’ arsenal,” he continued. “Once suitable Kerberos keys are created and administrative accounts are broken, the process of compromising other hosts in the victim’s network is simple and mechanical.”
Botnet monetization trends
In the realm of botnet behaviors, click fraud remains the leading technique at 58.1 percent. While botnet infections may pose a lower risk to organizations than a targeted attack, they are by no means risk free.
This year saw a proportional increase in denial-of-service, outbound brute force and port scanning. These botnet behaviors are important to enterprises as they can have significant impacts on the reputation of the network. Taken together, these detections represent 27 percent of botnet events, more than double the 12 percent that was previously observed.