What Attackers Do after a Breach

Thursday, November 6, 2014 @ 03:11 PM gHale


An attack happens and he or she is able to squeeze by the perimeter defense; that is just the beginning for an assault on a network, a new report shows.

After collecting data over five months from more than 100,000 hosts within sample organizations to gain a deeper understanding of breaches that inevitably bypass perimeter defenses, Vectra Networks is able to show what attackers do once inside networks.

RELATED STORIES
Security a Key to Company Growth
Data Breach Awareness on Rise
Malware Creation Skyrockets in Q3
ICS Targeted in Malware Campaign

They found over 11,000 hosts experienced one or multiple cyber-attacks that made it through perimeter defenses. Of these attacked hosts, 10 percent had detections for two or more attack phases – such as botnet monetization, command and control, reconnaissance, lateral movement and exfiltration.

Overall, 15 percent of hosts in the participating organizations experienced a targeted attack, the report said.

Once the attackers established a stronghold, they performed reconnaissance via internal port scans, lateral movement using brute force attacks, remote control of the attack with command and control communication, and exfiltration through hidden tunnels.

“Cyber attacks are increasingly sophisticated, highly organized, and successful despite $60 billion invested in cyber security annually worldwide,” said Oliver Tavakoli, CTO of Vectra Networks. “All of the attack phases detected in this report are ones that evaded organizations’ perimeter and endpoint security systems.”

Additional key findings of the study include:
• 85 percent of attacks experienced by the sample organizations were opportunistic attacks. Two percent of the hosts experiencing an opportunistic attack ended up used to spread botnet malware to other computers within the organization.
• 15 percent of attacks hitting the sample organizations ended up as targeted. Two percent of these hosts under targeted attack ended up breached to the exfiltration stage, where the attacker was preparing to steal data.
• 7 percent of hosts both botnet and exfiltration detections, which indicates possible theft of credentials for use in a subsequent targeted attack against the sample organization or other organizations.



Leave a Reply

You must be logged in to post a comment.