Insights from inside the kill chain
This week we are proud to announce the release of the third edition of the Vectra Post-Intrusion Report. And while there are plenty of reports from security vendors out there, this one provides something that is unique.
Most industry security reports either focus on statistics of known threats (exploits and malware families) or give a post-mortem look back at breaches that were successful. The first is a statistical analysis of the things that your perimeter defenses are likely to block, and the second is a retelling of attacks that were missed entirely. In essence, these reports document the first punch of a fight, and then skip to examining a fighter who has been knocked out. For security teams the figurative challenge is to be able to take a punch without losing the fight, and that is the type of information that we focus on the Post-Intrusion Report.
Here we provide insight on the all-important middle ground by showing how forward-looking security teams are finding intrusions in real-time and overwhelmingly stopping threats before damage is done. It also gives you a first-hand in-situ view of the techniques attackers use when they’re inside the network so you can look for these behaviors in your environment.
Attackers are getting in, but being caught in the act
This report analyzed data from the first three months of 2016 from 120 production Vectra deployments, encompassing more than 1.3 million network hosts. As in previous versions of the report, every network showed at least one behavior consistent with a targeted attack – internal reconnaissance, lateral movement, or data exfiltration. In fact, 97.5% of networks exhibited one of these behaviors each month.
While it is clear that attackers are evading perimeter defenses, the good news is that the majority of attacks are being caught before damage is done. Looking at the data, the most common detections occurred early in the kill chain and dropped off with each successive phase of attack.
Command-and-control detections were the most common, followed by reconnaissance, lateral movement, and exfiltration. Exfiltration behaviors were by far the least common category, accounting for only 3% of all detections. Exfiltration behaviors were down in absolute terms as well, dropping from a monthly average of 1.82 to 1.01 detections per 1,000 hosts.
Attackers are getting quieter
Traditionally, attackers knew they had free rein inside the network. The data in this report indicates that attackers are increasingly aware that they are being watched inside the network and are adopting less noticeable and more evasive techniques.
One such example can be seen in the area of lateral movement. In a flip from the previous report, brute-force techniques dropped from first to third in the lateral movement category, while Kerberos client detections jumped from third to first.
Kerberos client detections monitor the network’s authentication infrastructure to uncover many types of credential abuse. This class of detection can reveal an attacker who might have compromised a valid set of credentials or might be using pass-the-hash or golden ticket techniques. These techniques require far more local learning in order to detect and tend to be far more subtle than a simple and noisy brute-force attack.
Attackers also appear to be getting craftier in hiding their command-and-control communications. The previous report initially disclosed the use of hidden tunnels both command-and-control and exfiltration behaviors.
The new report also observed a big jump in hidden tunnels being used for command and control. In last year’s report, HTTP and HTTPS hidden tunnels were the seventh most common command-and-control technique. This time, HTTP and HTTPS jumped to third place.
These are just a few noteworthy trends in the report, and we encourage you to read the full report here.