The higher education sector exhibited a startling increase in potentially damaging cryptocurrency mining behaviors, according to Vectra.
The Attacker Behavior Industry Report reveals cyberattack detections and trends from a sample of 246 opt-in enterprise customers using the Vectra Cognito platform, across 14 different industries. From September 2017 through January 2018, Vectra monitored traffic and collected metadata from more than 4.5 million devices and workloads from customer cloud, data center and enterprise environments. By analyzing this metadata, Vectra detected hidden attacker behaviors and identified business risks that enabled its customers to avoid catastrophic data breaches.
As cyberattackers automate and increase the efficiencies of their own technology, there is an urgent need to augment information security with detection and response tools to stop threats faster.
Cryptocurrency mining is a mounting problem
Considered opportunistic, mining surged with the rising price of cryptocurrencies like Bitcoin, Monero and Ethereum. Of all the cryptocurrency mining detections, 85% occurred in higher education, followed by entertainment and leisure (6%), financial services (3%), technology (3%), and healthcare (2%). Free electrical power and Internet access for students might account for the spike in higher education.
Volume of attack behaviors
The highest volume of attacker behaviors per industry were in higher education (3,715 detections per 10,000 devices) followed by engineering (2,918 detections per 10,000 devices). This is primarily due to command-and-control (C&C) activity in higher education and internal reconnaissance activity in engineering.
C&C activity in higher education, with 2,205 detections per 10,000 devices, is four-times above the industry average of 460 detections per 10,000 devices. These early threat indicators usually precede other stages of an attack and are often associated with opportunistic botnet behaviors in higher education.
Low detection rates
Government and technology sectors have the lowest detection rates, with 496 and 349 detections per 10,000 devices, respectively. This could indicate the presence of stronger policies, mature response capabilities and better control of the attack surface.
Increases across industries
When normalizing detections per 10,000 devices compared to the previous year, there is a sharp increase in every industry – C&C (37%), internal reconnaissance (31%), lateral movement (24%), and a nominal increase with data exfiltration detections (6%).