Top cybersecurity evasion and exfiltration techniques used by attackers
SS8 released its 2018 Threat Rewind Report, which reveals the top cybersecurity evasion and exfiltration techniques used by attackers and malicious insiders.
During the past year, SS8 sensors and analytics deployed globally within live production networks have detected a variety of techniques used to compromise and steal data (intellectual property) from organizations in key industries spanning critical infrastructure, enterprises and telecommunications.
The networks SS8 assesses exhibit the presence of the following evasion and exfiltration activity:
60% – No internal DNS server.
36% – Traffic involving proxy and anonymizer IPs/URLs.
33% – Victims of phishing attacks involving popular domains.
28% – security incidents involving SSH.
25% – Bitcoin traffic.
21% – TOR traffic.
15% – Malicious activity on a non-standard application port.
Key findings explained:
- 28% had security incidents involving SSH. SSH is the most popular protocol used for remotely accessing machines. A common authentication method used in SSH is a username/password combination. Command and control sessions are also masqueraded as regular SSH traffic for SSH attacks.
- 25% had Bitcoin traffic. This could signal a potential ransomware infection involving malware such as Cryptolocker, Locky, WannaCry, and Petya. This may also indicate employees are engaging in illegal or unauthorized bitcoin mining.
- 21% had Tor traffic. Tor is normally not allowed in corporate networks, as it can be used to access blocked or restricted websites. Tor can also be used to access hidden Tor services, some of which host questionable content.
“The most significant learning for us in 2017 was that prevention techniques were not enough to stop the sophisticated and targeted attacks.” said Dennis Haar, CEO for SS8 Networks. “Known vulnerabilities, human errors and insider threats all contributed to some of the biggest hacks in the recent history. Our analysis reaffirmed that network intelligence is absolutely key to detecting malicious activity in the early stages to prevent damage and harm to the enterprise. Detection techniques have become more focused and enable us to find both immediate dangers with time history available for device and individual forensics.”