Targeted Attacks on Rise: Report

Monday, June 29, 2015 @ 05:06 PM gHale

Lateral movement and reconnaissance detections show a sharp upturn in targeted attacks that have penetrated the perimeter, a new report found.

The report, which is the culmination of data collected over a six-month period from 40 of Vectra Networks’ customer and prospect networks that feature more than 250,000 hosts, found that non-linear growth in lateral movement increased 580 percent from last year while reconnaissance detections were up 270 percent.

Mobile Malware Targets Android
Industry Execs Know they are Targets
ICS Security Knowledge Low: Report
Understanding a Botnet Lifecycle

Overall, detections outpaced those recorded last year by 97 percent, according to Vectra Networks Post-Intrusion Report.

Firewalls and other perimeter security solutions continue to hold out, but how long that happens is up in the air.

While attackers can get by the first layer of a defense in depth program, they are having a difficult time getting data out of the network, according to the report.

One of the reasons for the uptick in detections is the ubiquitous nature of hacking devices, which makes it easier for attackers to get in. Attacks have gone from being just the domain of sophisticated hackers to those with lesser skills.

Vectra found the least growth, six percent, in command and control communication. But “high-risk Tor” and external remote access grow by 1000 percent and 183 percent respectively, the findings showed. Tor detections made up 14 percent of all C&C traffic.

The study assessed hidden tunnels without having to decrypt SSL traffic. Hidden tunnels hide some communication within a protocol, the report said.

This year the Vectra Networks research showed HTTPS was a favorite of attackers for communications while HTTP, or clear channel, saw use less frequently (by about half).

Lateral movement detections were mostly the work of brute-force attacks (56 percent) while automated replication accounted for 22 percent of the detections and Kerberos-based attacks represented 16 percent. The latter, though, increased non-linearly by 400 percent from last year’s results.

Port scans, which identify activity further along in the attack process, accounted for 53 percent of the internal reconnaissance detections noted in the study while the remaining 47 percent ended up attributed to darknet scans, in keeping with the behavior reported in the company’s 2014 report. The report also found ad-click fraud, at 85 percent of all botnet detections, represented the most common form of botnet monetization, a behavior that grew linearly when compared to results from last year.

Click here to download the report.