Home Depot, Target, JP Morgan, and Community Health Systems have all been victims of a network security breach, resulting in loss of customer’s personal data and millions of dollars in revenue. We ask ourselves “who will be next?” – because the assault on the digital economy has become an asymmetric war and businesses are on the losing side.
The first edition of "The Post Breach Industry Report" is an industry study using real-world data from enterprise networks, revealing what attackers do inside an organizations network once they evade perimeter defenses. The statistics are scary:
- All participating organizations experienced at least one targeted attack and multiple opportunistic attacks;
- 10% of all hosts showing signs of a cyber attack had a detection for multiple attack phases;
- 15% of the hosts in these organizations experienced a targeted attack; and
- 85% of the hosts with multiple detections experienced an opportunistic attack.
Cyber attacks are increasingly sophisticated and highly organized. And, they are successful despite $60 billion invested in cyber security annually worldwide. These defenses—plus the efforts of skilled information security professionals who are focused on protecting their organizations’ intellectual property, honoring customer trust and upholding the law—are not working. These events and actions are a grave reminder - "there is no such thing as perfect security."
Organizations are heavily investing in prevention centric technologies. Prevention centric security solutions like next-generation firewalls, and sandboxes only detect the initial exploit of an attack and identify some forms of command and control using reputation lists. Targeted attackers typically use exploits that are tweaked, that haven't been seen before or they gain access via a third party, à la Fazio Mechanical and Target. Next-gen firewalls and sandboxes will find opportunistic attacks like botnets, but they won’t find these targeted attackers.
So what happens after the attacker bypasses the defenses and moves into the heart of the corporate network? Or when an employee’s device is infected by an exploit while on a guest Wi-Fi network and they walk the exploit into the organization? Prevention is not enough.
Prevention-centric solutions must be complemented with robust real-time breach detection. Organizations need to detect what the attacker and their malware are doing, like the behaviors shown in the chart below.
Phases of Attacks Detected Inside Perimeter Defenses
The reconnaissance, lateral movement and exfiltration phases represent the activities of a targeted attacker who evaded the perimeter defenses. Having visibility into these behaviors enables security analysts to protect their network and data from in-progress attacks. It is even better when detections are correlated to the host under attack to tell a story about what the attacker is doing as in the table below.
The attack on the host with IP address 10.1.1.183 in one organization’s network transpired over 18 days. These detections showed what the attacker was doing and provided multiple opportunities to stop the attack.
Next-gen firewalls and sandboxes can provide a mountain of alerts, but you need actionable intelligence. It's time for security that thinks
Rather than relying on detecting known signatures, the Vectra X-series provides real-time insight into advanced persistent attacks through a combination of security research, data science and machine learning. The insight is fully automated with clear, intuitive reports so you can take decisive action immediately to stop an attack or mitigate its impact.
Attackers are already in your network, looking for an opportunity to steal high-value data or further their goals. The Post Breach Industry Report reveals what attackers do within a network once they evade perimeter defense.
Download the report today.