Vectra Networks's Post Breach Report found that 15 percent of cyber attacks are targeted.
Vectra Networks's Post Breach Report found that 15 percent of cyber attacks are targeted.

Highly organized, sophisticated and successful cyber attacks continue to assail organizations and while most are opportunistic, a higher than expected percentage are targeted, according to results from a recent study.

In an analysis of information collected in a five-month period from more than 100,000 hosts within sample organizations, researchers at Vectra Networks found that all of the organizations studied were attacked and that cyber attacks made it through perimeter defenses to get to more than 11,000 hosts. The numbers also show that 10 percent of those hosts “had detections for two or more attack phases such as botnet monetization, command and control, reconnaissance, lateral movement and exfiltration.”

While the bulk of attacks (85 percent) were opportunistic, 15 percent were targeted (in fact all the organizations in the report had suffered at least one targeted attack), which Oliver Tavakoli, CTO at Vectra, found surprising. 

“Targeted attacks were hotter than we thought,” he told SCMagazine.com.

“They were in every organization; everyone was affected,” Mike Banic, vice president of marketing at Vectra told SCMagazine.com. “I wasn't expecting that.”

Pointing to the Target breach, the Vectra Post Breach Report showed that “botnets can lead to targeted attacks” with exfiltration behavior (such as credentials being stolen using a keylogger) detected in seven percent of the hosts with botnet detections.

While targeted attacks are clearly a high priority, organizations have a difficult time picking them out of a field crowded with opportunistic attacks — “With opportunistic attacks occurring on more than 70 percent of the hosts with multiple detections, detecting target attacks amongst the substantial noise created by opportunistic attacks is difficult,” the report said.

Some good news — “90 percent of opportunistic attacks were stopped after a single attack phase was detected.”

Oliver noted that a lot of organizations have “invested a lot in perimeter security,” but they don't know what attackers do once they get in — and sometimes they don't know they've been breached until “a three-lettered agency” notifies them, Tavakoli said.

The standard approach — protecting the perimeter — is akin to placing “many cameras on the outside of a bank and seeing a person go in and then run out with bags of money,” he said. “But all the action is on the inside of the bank.”

Instead, he said, security should be focused on what's going on “inside the bank” and how to thwart it.