Attacker Behavior Industry Report - 2018 Black Hat Edition - Vectra AI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Attacker Behavior Industry Report 2018 Black Hat Edition
I am artificial intelligence. The driving force behind the hunt for cyberattackers. I am Cognito.
TABLE OF CONTENTS
Background and methodology.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Operational efficiency and ROI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Threat and certainty scores.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Overall detection trends. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Threats by type per 10,000 host devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Threats by industry per 10,000 host devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Vectra | Attacker Behavior Industry Report | 3
The Black Hat Edition of the Vectra® Attacker Behavior Industry Report provides a first-hand analysis of active and
persistent attacker behaviors inside cloud, data center and enterprise environments of Vectra customers from
January through June 2018.
The report examines a wide range of cyberattack detections and trends from a sample of more than 250 Vectra
customers with over 4 million devices per month and workloads from nine different industries.
The research in this report takes a multidisciplinary approach that spans all strategic phases of the attack lifecycle.
By using the AI-based Cognito™ platform to detect attacker behaviors, Vectra can identify exposure and risk within
organizations as well as indicators of damaging breaches.
Key findings Background and methodology
• Across all industries, there was an average of 2,354 attacker The information in this report is based on anonymized metadata
behavior detections per 10,000 host devices. Attacker behaviors from Vectra customers who have opted to share detection metrics.
from January-June 2018 showed a sharp increase over the same Vectra identifies behaviors that indicate attacks in progress by
period in 2017. directly monitoring all traffic and relevant logs, including traffic
• Overall, education had the most attacker behaviors at 3,958 to and from the internet, internal traffic between network host
detections per 10,000 host devices. devices, and virtualized workloads in private data centers and
• Energy (3,740 detections per 10,000 host devices) and public clouds.
manufacturing (3,306 detections per 10,000 host devices)
This analysis provides important visibility into advanced phases
showed a large amount of detections due to high levels of lateral
of attacks. The Cognito platform from Vectra detects threats that
movement. Energy and manufacturing are also large adopters of
evade perimeter security controls and observes the progression of
industrial IoT (IIoT) devices and have IT/OT system integration.
attacks after the initial compromise.
• Command-and-control (C&C) activity in higher education
continues to persist three-times above the industry average of 725 The 2018 Black Hat Edition of the Vectra Attacker Behavior
per 10,000 host devices and exceeds every industry with 2,143 Industry Report also presents data by specific industries and
detections per 10,000 host devices. These early attack indicators highlights relevant differences between industries.
usually precede other phases of attacks and are often associated
with opportunistic botnet behaviors in higher education. From January through June 2018, Vectra collected data on more
• The retail and healthcare industries have the lowest cyberattack- than 4 million devices and workloads per month. On these
detection rates, with 1,190 and 1,361 detections per 10,000 host devices and workloads, Vectra detected over 10 million different
devices, respectively. attacker behaviors that were condensed to 668,000 detections.
• Botnet activity occurs most often in higher education, with 183
These detections were then triaged down to 420,000 host
detections per 10,000 host devices, which is three-times the
devices and workloads. Across all participating organizations,
industry average of 53 detections per 10,000 host devices. These
for the six-month period, over 32,000 devices and workloads were
opportunistic attack behaviors leverage host devices for external
tagged as critical in risk and over 63,000 were tagged as high
gain, such as bitcoin mining or outbound spam.
in risk, enabling security analysts to respond quickly to mitigate
• Vectra customers achieved a 36X workload reduction for Tier-1
these threats. On average, in a single month, 5,343 devices
analysts in detection, triage, correlation and prioritization of
and workloads were tagged as critical and 10,438 devices and
security incidents, enabling them to focus on mitigating the
workloads were tagged as high.
highest-risk threats.
• When normalizing attacker detections per 10,000 host devices
Operational efficiency and ROI
compared to the previous year, there is a sharp increase in every
industry for C&C, internal reconnaissance, lateral movement and Cybersecurity is an ongoing exercise in operational efficiency.
data exfiltration detections. Organizations have limited resources to address unlimited risks,
threats and attackers. This means that security products must
always be evaluated in terms of their efficiency and impact on the
operational fitness of the organization.
Vectra | Attacker Behavior Industry Report | 4Time is the most important factor in detecting hidden cyberattacks. It is important to note that attacker behaviors are still only indicators
To mitigate damage, attacks must be detected in real time before of compromise. Security analysts must take final action to validate
key assets are stolen or damaged. However, detecting and whether an attack is real. Cognito provides security analysts with
responding to targeted attacks is a very time-consuming process the most important information in context, which can be used to
and requires security teams to manually sort through mountains decide how to respond before an attack causes damage.
of alerts.
There was a wide variance in the sizes of the networks analyzed,
Using artificial intelligence (AI), the Cognito platform from Vectra with the smallest consisting of a few hundred host devices and
performs nonstop automated detection of threat behaviors in workloads to the largest networks with more than 500,000.
real time. These behaviors are correlated with compromised host
To account for this variance, the data has been normalized to a
devices, which are in turn correlated with common attack vectors
network with 10,000 host devices and workloads, making it easier
and larger attack campaigns. Thousands of threat indicators are
to compare the prevalence of threats in a network on a per capita
reduced to hundreds of attacker behaviors on dozens of host
basis. Any host device with an IP address – including IoT devices,
devices that can be part of broader attack campaigns.
smartphones, tablets and laptops – are monitored in addition to
servers and virtualized workloads.
Reduction in workload for Tier-1 security analysts
1,601
2,354 devices with
10,000 44,017
detections
detections
events flagged
devices observed
36x workload
reduction
Overall, Vectra reduced the investigation workload of security analysts by 36X compared to manually investigating all attacker behaviors
and compromised host devices. There is a significant uptick in the total number of events flagged and nearly twice the number of
detections per 10,000 host devices observed.
Vectra | Attacker Behavior Industry Report | 5Threat and certainty scores Other factors that influence host device scores include repetition of
an observed detection or a combination of detections that indicate
The Cognito platform from Vectra monitors individual devices
a cyberattack is progressing toward its objective.
and workloads for extended periods of time and attributes
detections to any device or workload that behaves suspiciously. Every detection type has a maximum lifespan, ranging from a few
The detection scores and times they occurred are key inputs for days to a month. When a detection has no recurring activity, its
the host device threat-severity and certainty scores. effect on a host device score slowly declines to zero. A detection
past its maximum lifespan becomes inactive and has no impact on
Cognito scoring is comprised of two dynamic metrics – threat and
the host device score.
certainty scores – applied to individual detections and the host
devices against which they are reported.
HIGH CRITICAL
The threat score of a detection expresses the potential for harm
43 22
if the security event is true (e.g. if spamming behavior or data
exfiltration was occurring). Because a threat is a measure of the Hosts Hosts
potential for harm, it reflects worst-case scenarios.
The certainty score of a detection reflects the probability that a
given security event occurred (e.g. the probability of spamming
behavior occurring, or the probability of data exfiltration occurring),
given all the evidence observed so far. 185 Hosts 25 Hosts
Certainty is based on the degree of difference between the threat
LOW MEDIUM
behavior that caused the detection and normal behavior. As such,
the certainty score of an individual detection changes over time.
On average, for every 10,000 host devices and workloads
Since detections are dynamic, changes in their scores cause monitored in a one-month period, 22 were marked critical and
changes to attributed host device threat-severity and certainty 43 were marked high. These devices and workloads present the
scores. Critical and high scores help security analysts prioritize greatest threat to the organization and require a security analyst’s
their investigation efforts because they represent behaviors with the immediate attention.
highest certainty and greatest potential to cause significant damage.
Threat-severity and certainty scores per 10,000 host devices and workloads
227
210
200
190
183
177
150
131
100
53
50 46 48
42 43
28 26 28 29 28
24 23 25
22 23 21
17 20
0
January February March April May June
Vectra | Attacker Behavior Industry Report | 6
Critical severity per 10,000 High severity per 10,000 Medium severity per 10,000 Low severity per 10,000When breaking down host device statistics across vertical industries, Vectra benchmarked the volume of host devices and workloads
prioritized for each threat-severity and certainty level, both in relation to each vertical and as compared to the combined industry threat-
severity and certainty scores.
400
377
350
300
281
250
221
203
200 196
156
150
119 121
102 103
100
83
63 62
48 50
50 43 40 34 36 37
35 31 30 30
23 26 27 24 28 23 25 26
16 19 18 18 17
12 9 12
0
y s il r
ing are nt re y n
log ce ta he me isu erg tio
no rvi Re Ot tur lthc e En ca
ch Se ufa
c
ea ern &L Ed
u
Te an H G ov nt
M
in me
r ta
Ente
Critical severity per 10,000 High severity per 10,000 Medium severity per 10,000 Low severity per 10,000
For example, the number of low alerts in higher education is Threats by type per 10,000 host devices
almost twice the normal rate, which indicates attacker behaviors
To dig deeper, Vectra provides a breakdown of detection statistics
that are opportunistic.
by industry. The charts below show threat behaviors across the
Inversely, the healthcare industry has a low volume of host devices attack lifecycle. These behaviors are strong indicators of exposure
prioritized as high or critical, which indicates that cyberattacks in and risk in an organization and enable security analysts to focus
healthcare do not often progress deep into the attack lifecycle. their time and effort on what matters most.
While not every stage is necessary in an attack, each is
Overall detection trends
interrelated, and we often see an attack progress through the
• Detection rates: Organizations had an average of 1,707 host lifecycle with the ultimate outcome of financial gain, data exfiltration
devices with threat detections for every 10,000 host devices or data destruction.
in a one-month period. This represents a 36X reduction in the
number of events requiring investigation and triage. The data in this report represents in-progress attacker behaviors.
• C&C represented the highest percentage of detections: Activity like C&C and reconnaissance occur in the earlier stages
C&C traffic is a key component of a botnet attack and is an of an attack, enabling organizations to quickly mitigate the
enabler for later phases of a targeted attack. It is often the first threat before it can spread. These are the most common
sign of an attack in targeted and opportunistic activity. detected behaviors.
• Cognito from Vectra provides security teams with new
efficiencies: While the symptoms of targeted attacks remain
common, there are encouraging signs that security teams are
finding and stopping attacks before damage is done.
• Cryptocurrency mining continues to be the most
popular form of opportunistic attacks: While considered
opportunistic, cryptocurrency mining continues to experience
a surge in activity. These behaviors are seen predominantly in
higher education, where student systems are cryptojacked or
students perform the mining.
Vectra | Attacker Behavior Industry Report | 7Behaviors like lateral movement occur later in the attack lifecycle as cybercriminals strengthen their foothold in an organization by stealing
administrative credentials to access servers. These types of detections warrant high-priority action from incident response teams to prevent
irreversible damage from a data exfiltration.
800
700
600
500
55 98
53
400
120
126
122
300 22
30
96 143 33
118 101
200 137 88
91
70
62
100 170 165
99 121 96 84
0
January February March April May June
Botnet per 10,000 C&C per 10,000 Recon per 10,000
Lateral per 10,000 Exfil per 10,000
Botnets
Botnets are opportunistic attack behaviors in which a device makes money for its bot herder. The ways in which an infected host device can
be used to produce value can range from cryptomining to sending spam emails to producing fake ad clicks. To turn a profit, bot herders utilize
devices, their network connections and, most of all, the unsullied reputation of their assigned IP addresses.
10 1
0 0
1 1 0
1 0 0
0 0 1 1
1 1
8 0 1
0 2
0 2
2
1
3 2
6
2
2 2
2
2 2
4
2
5
4
2 4 4
3
3
0
January February March April May June
Abnormal ad activity Abnormal web activity Cryptocurrency mining Brute-force attack
Outbound DoS Outbound port sweep Outbound spam Relay Communication
Vectra | Attacker Behavior Industry Report | 8Command and control
C&C traffic occurs when a device appears to be under the control of an external malicious entity. Most often, the control is automated
because the device is part of a botnet or has adware or spyware installed.
Rarely, but most importantly, a device can be manually controlled by a nefarious outsider. This is the most threatening case, and it often
means the attack is targeted at a specific organization.
100
15
5 3
80 2
6 3
5
2
3 3 3
25
60 21 24
25
2 17
40 2 15
14
5 5 14
2 2
6 8
3 3
20
34 32
31 29
22
21
0
January February March April May June
External Remote Access Hidden DNS CnC Tunnel Hidden HTTP CnC Tunnel
Hidden HTTPS CnC Tunnel Malware Update Peer-to-Peer Pulling Instructions
Stealth HTTP Post TOR Activity Threat Intelligence Match CnC Suspicious Relay
Reconnaissance
Reconnaissance attacker behaviors occur when a device is used to map-out the enterprise infrastructure. This activity is often part of a
targeted attack, although it might indicate that botnets are attempting to spread internally to other devices. Detection types cover fast
scans and slow scans of systems, network ports and user accounts.
350
10
120 6
11 10
12
35 8
23
100
30
3
4 40 30
35
80
4
38 6
39 4 3 15
60 14
15
18 8
7 11
40 13 9 7
39
34 28
25 28
20 27
8 9 8 7 9 9
0
January February March April May June
File Share Enumeration Internal Darknet Scan Kerberos Account Scan Port Scan
Port Sweep RDP Recon SMB Account Scan Suspicious LDAP Query
Vectra | Attacker Behavior Industry Report | 9Lateral movement
Lateral movement covers scenarios of lateral action meant to further a targeted attack. These can involve attempts to steal account
credentials or to steal data from another device.
It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data. This stage of
the attack lifecycle is the precursor to moving into private data centers and public clouds.
120
5 6
100 6
21
6 6
32
6
21
22 5 19
80
24 10 4
5
5 6
5 7
8
8
60 5
34 27
9 26
23 25
40 18
7 6 7
6 6
5
20
22 23 22 25 24
20
0
January February March April May June
Automated Replication Brute-Force Attack (internal) Kerberos Brute Force Kerberos Server Access
Ransomware File Activity Shell Knocker Client Shell Knocker Server SMB Brute-Force Attack
SQL Injection Activity Suspicious Admin Suspicious Remote Desktop Threat Intelligence Match Lateral
Suspicious Kerberos Account Suspicious Kerberos Client
Data exfiltration
Data exfiltration behaviors occur when data is sent to the outside in a way that is meant to hide the transfer. Normally, legitimate data transfers do not
involve the use of techniques meant to hide the transfer. Indicators of exfiltration include the device transmitting the data, the location data is being sent
to, the amount of data being sent, and the method used to send it, such as a cloud file share.
60
50
17
16
13
40 22
15
2
1
1
30
22
20
34 35
33
30
28
10
13
0
January February March April May June
Data Smuggler Hidden HTTP Exfil Tunnel Hidden HTTPS Exfil Tunnel Smash and Grab
Vectra | Attacker Behavior Industry Report | 10Threats by industry per 10,000 host devices
The bar chart below shows the volume of threat detections that were triggered in each industry. This view shows how each industry fared
per capita as well as which industries generated the most detections by volume.
Higher education and engineering represent the highest percentages of detections across all industries, primarily due to a high volume of
C&C (higher education) and reconnaissance (engineering).
4000
290 604
3500
287
540
3000 1002
391 488
2500 992 215
265
2000 933
930 999
848 345
1500
1318 145
570
187 2143
659 731 182 490
1000 371 839
342 401
1499
452 399
500 275
734 664 618 674
342 526
366 335
83 183
0
y e il r g re n t re y n
olo
g ic ta he in ca me isu erg ati
o
n Serv Re Ot ctur lth rn Le En u c
ch ufa He
a ve t& Ed
Te an Go en
M
inm
r ta
E nte
Botnet per 10,000 C&C per 10,000 Recon per 10,000
Lateral per 10,000 Exfil per 10,000
Botnets by industry
The Cognito platform from Vectra observed an ongoing trend in cryptocurrency mining in higher education. Cryptocurrency mining has
experienced a surge in popularity among students who leverage free electricity in their dorms and cyberattackers who target student
systems with cryptojacking. Students do not have the same level of security controls as those found in enterprise organizations, making
them lucrative targets for botnet herders.
200
180 4
10
5
160
140
73
100
839
80
18 15
60
8
7
40 14
6 6 71
5 56
20 5
7 14
34 16
9 6 12 6
6 9 14 10
6 7 9
0
l er nt
logy ice tai h r ing are me ure erg
y
tio
n
no Se
rv Re Ot ctu lth
c
rn L eis En uca
ch ufa He
a ve t& Ed
Te an Go en
M
inm
r ta
Ente
Abnormal ad activity Abnormal web activity Cryptocurrency mining Brute-force attack
Outbound DoS Outbound port sweep Outbound spam Relay communication
Vectra | Attacker Behavior Industry Report | 11C&C by industry
Due to the association between botnet and C&C traffic, the Cognito platform from Vectra found that higher education has the largest
volume of C&C behaviors, primarily related to external remote access and stealth HTTP posts.
Student systems often lack security controls that would normally detect and stop C&C behavior. Students are also more likely to visit
suspicious websites that harbor malware. Consequently, C&C attacks are much easier to execute in student environments.
900
55
800
146
700
34
23
50
600 44
28
23 141
24
500
137 181 54
20 839
400
154
175
300 137 21
27 96 171
84 92
25 437
200 70
74
50 67
79 126
34 119
240 35
100 173 194
150 159 35
110 92
62 83
0
l r nt
logy ice tai the ing are me isu
re
erg
y
tio
n
no Se
rv Re O tur lthc e En ca
ch ufa
c
ea ern &L Ed
u
Te an H ov t
M G en
inm
te r ta
En
External Remote Access Hidden DNS CnC Tunnel Hidden HTTP CnC Tunnel
Hidden HTTPS CnC Tunnel Malware Update Peer-to-Peer Pulling Instructions
Stealth HTTP Post TOR Activity Threat Intelligence Match CnC Suspicious Relay
Vectra | Attacker Behavior Industry Report | 12Reconnaissance by industry
Across the board, the Cognito platform from Vectra detected a large volume of darknet scans, which are scans of nonexistent IP addresses
on the network. This is quite common for attackers as the first form of reconnaissance behavior. It occurs after C&C communications are
established as the attacker looks for targets deeper in the network.
The Cognito platform also detected large volumes of suspicious LDAP in the manufacturing industry. A scan of information in an Active
Directory server is an effective way for an attacker to determine what accounts are privileged inside an organization’s network and the
names of servers and infrastructure components.
Cyberattackers prefer to use this form of reconnaissance because the risk of detection is relatively low, especially compared to a port
sweep or a port scan.
1600
243
1400
1200
1000 643
133
800 37 90 54
166 186
45 253
600 51 188 98 223
50
41
86
223 88 172 133
400 47 56
41 80
153 238 54 60
60 53 48 411 52 272
62
200 95
42 138
206 153 46 165 247
130 116
94 132 93
39 56 65 37 53
0
y e il r g re n t re y n
olo
g ic ta he in ca me isu erg tio
erv Re Ot tur lth e En ca
ch
n S
ufa
c
ea ern &L Ed
u
Te an H ov t
M G en
inm
te r ta
En
File Share Enumeration Internal Darknet Scan Kerberos Account Scan Port Scan
Port Sweep RDP Recon SMB Account Scan Suspicious LDAP Query
Vectra | Attacker Behavior Industry Report | 13Lateral movement by industry
In technology, services, manufacturing, financial and energy industries, the Cognito platform observed a large spike in Kerberos client
anomalous behaviors.
This indicates that a Kerberos account is being used differently than its learned baseline in several ways: Connecting to unusual domain
controllers using unusual devices; accessing unusual services; or generating unusual volumes of Kerberos requests using normal domain
controllers, usual devices and usual services.
In the technology, manufacturing and education industries, the Cognito platform detected a large volume of SMB brute-force behaviors,
which indicates that a device is making multiple login attempts with the same accounts to access a file server.
1200
56
1000 96
289 121
29
800 77 282
59 244
260 157
33
600 152
51 37
83
254 73
91
29
400 252 288
71 28 93
45 29
44 27
44
242
79 87
92 90
200 38
37
211
25
46 86 303
235
183 178 162 181
133
94 80 59
0
l er nt
gy ice tai h ing are me ure erg
y
tio
n
olo Se
rv Re Ot tur lthc eis
En ca
ch
n
ufa
c
ea ern &L Ed
u
Te an H ov t
M G en
inm
te r ta
En
Automated Replication Brute-Force Attack (internal) Kerberos Brute Force Kerberos Server Access
Ransomware File Activity Shell Knocker Client Shell Knocker Server SMB Brute-Force Attack
SQL Injection Activity Suspicious Admin Suspicious Kerberos Account Suspicious Kerberos Client
Suspicious Remote Desktop Threat Intelligence Match Lateral
Vectra | Attacker Behavior Industry Report | 14Exfiltration by industry
The most common exfiltration behavior is data smuggling, which was commonly observed across all industry verticals. It is detected
when an internal host device acquires a large amount of data from one or more servers and sends significant volumes of data to an
external system.
Smash-and-grab is the second most common exfiltration behavior across all industries. It is triggered when a host device transmits
unusually large volumes of data to destinations that are not considered normal for the environment within a short amount of time.
500
400 79
194
22
82 37
300
34
200 69
344
58 203 27 293
260 263 11 267
35
100
155
123 123
93
46
0
gy ce il r
ing are en
t re y on
olo rvi ta he isu erg ati
n Se Re Ot ctur lthc rnm e En c
ch ufa ea ve &L E du
Te an H Go en
t
M
inm
r ta
Ente
Data Smuggler Hidden HTTP Exfil Tunnel Hidden HTTPS Exfil Tunnel Smash and Grab
Conclusion
This edition of the Vectra Attacker Behavior Industry Report consisted of more than 4 million devices and workloads per month monitored over a
six-month period. Vectra would like to thank the organizations who opted-in to share metadata that was analyzed for this report. Overall, the trends
represent an increase in detections and attacker behaviors, which is cause for concern.
As sophisticated cybercriminals automate and increase the efficiencies of their own technology, there is an urgent need to automate attacker-
detection and response tools to stop threats faster.
At the same time, there remains a global shortage of highly skilled cybersecurity professionals to handle detection and response at a reasonable
speed. As a result, the use of AI is essential to augment existing cybersecurity teams so they can stay well ahead of attackers.
Vectra | Attacker Behavior Industry Report | 15Emailinfo@vectra.ai Phone +1 408-326-2020 vectra.ai © 2018 All rights reserved. No part of the Vectra Attacker Behavior Industry Report may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, except in the case of brief quotations embodied in certain noncommercial uses permitted by copyright law. Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and Cognito, Cognito Detect, Cognito Recall, the Vectra Threat Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.
You can also read
