Lateral movement and reconnaissance detections observed in a Vectra Networks Post-Intrusion Report, released Tuesday, show a sharp upturn in targeted attacks that have penetrated the perimeter.
The report, which is the culmination of data collected over a six-month period from 40 of the company's customer and prospect networks that feature more than 250,000 hosts, found that non-linear growth in lateral movement increased 580 percent from last year while reconnaissance detections were up 270 percent. Overall, detections outpaced those recorded last year by 97 percent.
Firewalls and other perimeter security solutions are “holding their own” with attacks of opportunity like botnets, Wade Williamson, director of product marketing at Vectra Networks, told SCMagazine.com in a Monday interview. “They're not doing so good when the attacks are targeted” and attackers are trying to dig deeper into the networks.
While attackers are “getting good” at getting past the first wall of defense, they're not faring as well getting data out of the network. “They're getting in the front door at a far greater rate than they have in the past,” said Williamson. “But the exfiltration of data is relatively low,” he added.
Williamson attributed the uptick in detections in part to the “democratization of hacking tools” which makes it easier for attackers to get in. He noted that the research indicated attacks have gone from being just the domain of “super sophisticated” hackers to those with lesser skills.
Vectra found the least growth, six percent, in command and control communication. But “high-risk Tor” and external remote access grow by 1000 percent and 183 percent respectively, the findings showed. Tor detections made up 14 percent of all C&C traffic.
The study assessed hidden tunnels without having to decrypt SSL traffic, Williamson pointed out. Hidden tunnels are used to “hide some communication within a protocol,” Williamson explained. Instead, researchers applied data science to network traffic.
This year the Vectra Networks research showed that HTTPS was favored by attackers for communications while HTTP, or clear channel, was used less frequently (by about half). “That's a good indication attackers are using hidden tunnels,” Williamson explained.
Lateral movement detections were mostly the work of brute-force attacks (56 percent) while automated replication accounted for 22 percent of the detections and Kerberos-based attacks represented 16 percent. The latter, though, increased non-linearly by 400 percent from last year's results.
Port scans, which identify activity further along in the attack process, accounted for 53 percent of the internal reconnaissance detections noted in the study while the remaining 47 percent were attributed to darknet scans, in keeping with the behavior reported in the company's 2014 report. The report also found that ad-click fraud, at 85 percent of all botnet detections, represented the most common form of botnet monetization, a behavior that grew linearly when compared to results from last year.
To counter the attacks, Williamson suggested that organizations take steps to establish a data-centric security model that protects data as an asset and to apply behavioral science to detect “bad behavior” within a network.