Security

Report Identifies Increasing Evidence of Cyber Attacks Penetrating Networks

• By Rhea Kelly
• 06/23/15

A new study has identified a surge in the typical indicators of targeted attacks on today's networks. In a six-month study of 40 customer and prospect networks (a total of more than 250,000 hosts) across multiple industries, malware detection company Vectra Networks found a 580 percent increase in lateral movement detections and a 270 percent increase in reconnaissance detections compared to last year — both signs of targeted attacks that have penetrated a network's security perimeter. Nearly 25 percent of the data analyzed was from education networks.

"The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise," said Oliver Tavakoli, CTO for Vectra Networks, in a press release. "The attackers' batting average hasn't changed much, but more at-bats invariably has translated into more hits."

While the study found just 6 percent growth in command-and-control communication, high-risk Tor detections jumped by more than 1,000 percent, accounting for 14 percent of all command-and-control traffic. External remote access increased by 183 percent over last year.

In addition, a comparison of hidden tunnels in encrypted traffic vs. clear traffic revealed that "HTTPS is favored over HTTP for hidden tunnels, indicating an attacker's preference for encryption to hide their communications," according to a statement from the company.

Other findings include:

• Botnet monetization behavior grew linearly compared to last year's report. Ad click-fraud was the most commonly observed botnet monetization behavior, representing 85 percent of all botnet detections.
• Within the category of lateral movement detections, brute-force attacks accounted for 56 percent, automated replication accounted for 22 percent and Kerberos-based attacks accounted for 16 percent. Although only the third most frequent detection, Kerberos-based attacks grew by 400 percent compared to last year.
• Of internal reconnaissance detections, port scans represented 53 percent while darknet scans represented 47 percent, which is fairly consistent with behavior detected last year.

The Post-Intrusion Report is available for download at the Vectra Networks site.