More than 11,000 hosts experienced one or multiple cyber-attacks that made it through perimeter defenses, and of these attacked hosts, 10 percent had detections for two or more attack phases, such as botnet monetization, command and control, reconnaissance, lateral movement and exfiltration, according to a Vectra Networks study.
The company's Post Breach Industry Report collected data over five months from more than 100,000 hosts within sample organizations to gain a deeper understanding of breaches that inevitably bypass perimeter defenses, and what attackers do once inside networks.
"The first goal of this report is to highlight indications of an attack that hide in plain sight. The security industry is accustomed to presenting information from the vantage point of perimeter and endpoint security, and they have over-invested in prevention and blocking technologies that depend on signatures and reputation lists," Oliver Tavakoli, Vectra Networks' chief technology officer, told eWEEK. "These techniques are decreasingly effective at stopping attacks and provide no insight into the attacks that get through the perimeter or what the attacker is doing once inside the network."
Tavakoli explained the second goal is to help organizations know what to look for as indications of an in-progress attack and understand the story they tell, which he said is especially true for targeted attacks that play out over days or weeks.
"Detecting a single behavior alone can't tell you what the attacker will ultimately try to steal," he said. "Targeted attackers are patient and stealthy; once you find them and see what they are doing, you can use this insight to inform your incident response team."
Overall, 15 percent of hosts in the participating organizations experienced a targeted attack, according to the report.
Once the attackers establish a stronghold, they perform reconnaissance through internal port scans, lateral movement using brute force attacks, remote control of the attack with command and control communication, and exfiltration through hidden tunnels.
In addition, 85 percent of attacks experienced by the sample organizations were opportunistic attacks.
Two percent of the hosts experiencing an opportunistic attack were being used to spread botnet malware to other computers within the organization, and 15 percent of attacks experienced by the sample organizations were targeted attacks.
Seven percent of hosts had both botnet and exfiltration detections, indicating possible theft of credentials for use in a subsequent targeted attack against the sample organization or other organizations.
"To quote a customer, the biggest threat is the unknown. Not knowing when attackers are present in the network is a huge risk," Tavakoli said. "With a tool that can detect them, the next thing this customer said was his biggest need was having a way to quickly triage targeted attacks from opportunistic and focus on the highest risk attacks first."