Cyber-criminals don't usually use malware once they're already inside a network, a new study suggests.
Instead, they use standard networking, IT administration and similar tools, as they look to first map the network they've penetrated and look for resources and vulnerabilities.
The findings were published in a report by behavioural attack detection company LightCyber, entitled Cyber Weapons Report 2016. It's based on an analysis of 100,000 worldwide endpoints, in networks ranging from 1,000 to 50,000 in size. The results were tabulated over six months.
The most common tools used seem to be Angry IP Scanner (an IP address and port scanner), and Nmap, a network discovery and security auditing tool.
“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Jason Matlof, executive vice president, LightCyber.
“Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities.”
Almost three quarters (70 per cent) of active malware, which was used for the initial breach, was only detected on one site. That means, according to the company, that it was customised, targeted malware.
More than 70 per cent of active malware used for the initial intrusion was detected only on one site, indicating that it was polymorphic or customised, targeted malware.
Photo Credit: andriano.cz/Shutterstock