Today, Vectra Networks published its second edition Post-Intrusion Report that offers a first-hand look at modern threats that get past perimeter security and spread inside the network.
In the latest report, we analyzed behaviors and techniques across the entire lifecycle of real-world cyber attacks. We also looked back and saw alarming changes in the threat landscape and observed emerging trends in attack techniques.
- Major increases in Internal Reconnaissance and Lateral Movement behaviors – While all detections grew due to an increased sample size, Internal Reconnaissance and Lateral Movement detections of an attacker spying and spreading within a network grew disproportionately. Both were the fastest growing categories of detections by far at 580% and 270% respectively. Both categories are strong indicators of a targeted attack and are potential indicators that targeted attackers are increasingly able to penetrate perimeter security controls.
- Tor and External Remote Access are on the Rise – While Command-and-Control detections remained relatively flat, we observed strong growth in both Tor and External Remote Access attack detections. These particular detections are indicators of a targeted attack and their increase confirms an overall trend to more targeted attack behaviors.
- Hidden tunnels within SSL – It is no surprise that attackers want to hide and obscure their communications whenever possible, and using hidden tunnels is one of their favorite techniques. Over the past year, Vectra data scientists zeroed in on this threat by developing techniques to detect hidden tunnels within DNS, HTTP and HTTPS.
Of particular importance, Vectra is now able to detect a hidden tunnel within HTTPS without decrypting the traffic. This led to the industry’s first apples-to-apples analysis of hidden tunnels across clear and encrypted Web sessions.
The results: HTTPS was the most commonly observed protocol used for hidden tunnels and was more than twice as popular for Command-and-Control traffic. An important reminder that attackers will hide in the areas where visibility is weakest.
These are just a few of the key findings in the report, so we encourage you to download the full report to see what is happening once attackers make it into the network. Download the full report here.