Skip to main content

Cyberattackers are getting quieter once they're inside the network

In early 2016, cybersecurity continues to be a central concern among virtually all industries, businesses and organisations. Despite record investments in prevention security controls, cyberattackers of every stripe have shown that they remain quite adept at breaking into protected networks to steal and damage critical assets.

Finding and stopping these attacks is now a priority at all levels, from boardrooms to the command line. Our latest Post-Intrusion Report takes an analytical look into what is going on inside actual customer networks and how attack techniques and strategies are evolving.

Despite record investments in prevention security controls, how are cyberattackers still managing to break into protected networks?

There is a fundamental problem at work here, which boils down to pure maths. An attacker has a near-infinite number of chances to compromise a network, and really only needs to succeed once. Or viewed from the other side of the coin, defenders have to be 100 per cent perfect in terms of defence. There is a constant flow of new bad things out there (malware, exploits, vulnerabilities), and organisations have to constantly interact with the real world (opening emails, visiting websites, sending files). The fundamental problem is that security can catch 99.9 per cent of threats, but the one threat that gets through can be enough to lose your critical data.

The data proves that some level of compromise is incredibly common. The issue is that no matter how much money you spend on prevention, perfection is not attainable.

The good news is that the data also shows that even though attackers will almost always find a way in, security teams are able to find and stop those intrusions before data is compromised. As we follow the progression of an attack, we found progressively fewer detections as we went deeper in the kill chain – in fact, only three per cent of organisations experience data exfiltration, which is the most dangerous behaviour and could create the most damage. What this demonstrates is that the organisations that are laser-focused on active attacks are able to quickly detect and stop them before critical data or assets is stolen.

Our research indicates that cyberattackers are getting quieter once they are inside the network. They know they are being watched and as such, they are choosing attack methods that will help them to hide longer in the network so they can spy and steal more data over a longer period of time.

For example, we noticed a big jump in a fairly new and stealthy approach to command-and-control called hidden tunnels. This technique allows an attacker to pass hidden messages by embedding data within seemingly normal HTTP and HTTPS packets. This allows the attacker’s hidden messages to bypass traditional security controls such as firewalls and intrusion prevention systems. We observed that this type of technique jumped from the 7th most common command-and-control technique last year, to the 3rd most common technique this year.

Which industries are the best prepared to defend against threats and why do you think this is the case?

Unsurprisingly, the industries that directly protect money appeared to have the most secure networks. Financial services and gaming networks had the lowest detection rates overall, and also had the lowest rates of data exfiltration.

On the other end of the spectrum, education networks had by far the highest rates of detected threats and exfiltration. Looking at these extremes, we can see that networks that have the most permissive use policies also have the most data loss. Conversely, the networks with the tightest controls have the least data loss.

What happens to the network post-intrusion? What is the most commonly observed post-intrusion behaviour?

Once inside the network, cyberattackers begin to perform internal reconnaissance, which is then followed by lateral movement. In more plain terms, once an attacker gets inside a network, he needs to look around to find where to go next, and then start to move deeper within the network. Attackers appear to be getting quieter when performing these steps. Of lateral movement detections, brute force attacks – the most popular technique last year – are down significantly, while Kerberos client and automated replication behaviors increased over last year, tying at 36.3 per cent of lateral movement detections.

Because brute force techniques are so noisy, more experienced and skilled attackers tend to try other access techniques first – preferably automated techniques that are difficult to distinguish from normal network traffic and where failures are unlikely to be alerted upon.

In which ways can an attacker do damage once inside the network?

Once an attacker has a toehold within the network with remote access and control of a compromised host, an obvious objective is to start collecting user and administrative credentials

In general, it is relatively easy to capture the user IDs and local administrator account passwords – by scraping memory, registry files, scraping email, or through keylogging processes. These locally captured credentials can be used to escalate local permissions to unlock greater control of the compromised host and, in the case of virtual images and cloned installations of corporate hosts that have neglected to change default administrative passwords, provide the basic tools to access similarly configured hosts across the network.

The attacker can repeat this process to move deeper and deeper into the network, and ultimately gain access to critical data or assets. Once these assets are found, cyberattackers can either steal the data (exfiltration), or in some cases the attacker will simply encrypt or destroy the data.

Wade Williamson, Director of Threat Analytics, Vectra Networks