Nobody wants to be the company that has to call in the authorities to investigate after a cyberattack. Yet the reality is that barely a week goes by without news of a record-breaking security breach. Anthem just became the target of the biggest healthcare breach ever, with over 80 million records compromised.
The attack on Morgan Stanley rang in 2015 coming on the heels of the Sony Pictures breach, and last year we also saw major attacks at Home Depot, Target, JPMorgan Chase, University of California and Google. Cunning criminals, nation-states and political protestors are increasingly successful in stealing high-value information, disrupting business and waging digital warfare. Disgruntled employees, contractors and other insiders also pose a serious threat.
With cyberthreats up sharply, cybersecurity is becoming a boardroom agenda. Private and public sector organisations want to know how secure they are – and where to make investments for better protection. Security is ranked as a top spending priority this year, according to Piper Jaffray, with 75% of chief information officers surveyed saying they would increase spending in 2015.
Think like the thief
In a world where cyberattacks are up sharply – and are increasingly devastating – it pays to think like a thief. Understanding what happens, once an attacker successfully bypasses an organisation’s defences, leads to more effective protection. That is what Vectra Networks has created with the Post Breach Industry Report.
The Post Breach Industry Report uses real-world data to reveal what attackers do within a network, once they evade perimeter defences, and enter the heart of the corporate network. This first-of-its-kind research analyses detection data from Vectra Networks’ X-series platforms, which are deployed at customers across a variety of industries, including technology, financial services and higher education. The data provides unique insight because Vectra is able to detect active attacks, no matter how the hacker breached the network or the device, application, or operating systems they are attacking.
The report reveals that all participating organisations’ networks had been breached and were under attack in some form. Of the more than 100,000 host computers these organisations had collectively, more than 11,000 computers had malware detections for at least one phase of an active cyberattack. These 11,000 incidents would have otherwise gone undetected by traditional network security products.
These organisations are targets of both opportunity and intent. Of the attacks detected, 85% were opportunistic botnet attacks and 15% were targeted attacks. In an opportunistic attack, an attacker infects its victim’s computers to make money off them, such as virtual currency mining, advertising fraud and outbound denial-of-service attacks. Many IT organisations consider opportunistic attacks a nuisance and a waste of IT resources. Targeted attacks, however, are far more concerning, as an attacker is generally trying to steal valuable data.
Detecting a targeted attack in action
Attacks can unfold over days, weeks, and months, as attackers bide their time, changing their tactics and varying their methods until they reach success – or they are detected and neutralised. After the initial breach of the perimeter, a typical attack goes through multiple phases of spying, spreading and ultimately stealing. Once the attacker infects the first computer, he then scouts around the organisation’s network to gather intelligence, moving around and changing attack behaviours, until he can find key assets to steal or damage.
These multi-phased attacks also tell a story, especially when mapped against other information such as time of day and location. In the example shown in the figure, which outlines the path an attack takes, the attacker begins performing reconnaissance by contacting a large number of internal IP addresses that had not recently been active or maybe never used. This is known as an internal darknet scan, and the attacker uses it to build a partial map of the network to get the lay of the land.
After the infected host builds this partial map of the network, it begins to move laterally, increasing the reach of its attack and then launching a brute-force attack to gain access to better user account credentials that provide privileged access to other systems.
The attack progresses with more darknet scans, but then the behaviour changes to internal port scans, which indicates that the attacker has gotten closer to what he was seeking. The infected computer also begins showing behaviour consistent with external remote access communication, which implies a human is controlling the attack – it is a sign that this is a targeted attack. Opportunistic botnet attacks never show signs of direct human control, but because of the high-value, targeted attacks are under human control.
The infected computer’s behaviour continues to change, this time to exfiltration, which indicates that the attacker has found the data he wants to steal, has access to the data and is preparing to send it to an offsite drop. In this example, the exfiltration detection is a hidden tunnel, in which the host communicates with a computer outside of the organisation, which is often overseas. In practice, this attack is halted within two minutes of the exfiltration detection, averting significant data loss for the organisation.
The other interesting observation is the detections all occur in the late afternoon or early morning hours, which could indicate that the computer is being used by attackers after normal working hours. Often, and far more innocently, a worker’s laptop is being accessed while working and traveling.
Opportunistic attacks can turn lethal
The Post Breach Industry Report showed that the vast majority of organisations experienced opportunistic attacks, largely botnets. Detecting targeted attacks against the substantial background noise of opportunistic attacks is very difficult and time-consuming when security administrators are using traditional security solutions. Yet botnet attacks that are left untended can increase risk, as they are an entry point for more harmful activities, such as spreading malware to other computers, performing reconnaissance to seek out system vulnerabilities and stealing account credentials to gain access to important databases.
Botnet attacks can lead to targeted attacks. In our data, 7% of computers had indicators of both botnet and exfiltration activity, indicating an attacker may be stealing account credentials and using them for a later attack against the same organisation or a business partner. This was the method used to breach Target via credentials stolen from its HVAC contractor.
Stealthy insider threats
This report also focuses on the opportunistic and targeted attacks perpetrated by external attackers, but organisations also face risk from disenfranchised employees, contractors and other insiders. Insider threat cases make up more than a quarter of all cybercrime and account for nearly $3 in in fraud a year.
Detecting insider threats is even more challenging for already overworked IT security departments. Plus, most companies don’t like to think about the possibility that trusted insiders can pose a threat or may be working with criminals. Nor do insiders need to breach a company’s security defences – they know what information is valuable, already have access and can get right down to their nefarious business.
A fresh approach to stopping attacks
Understanding the dynamics of a cyberattack, whether perpetrated by forces outside or inside the organisation, is critical to mitigate risk. As organisations rethink their defence strategies, the security industry must advance rapidly. A class of automated security solutions are emerging that is more intelligent and able to think, much like the human brain, learning as it goes to create a memory. These solutions use data science and machine learning to visualise the problem so security managers can see their biggest threats in a glance, rather than sift through mountains of data and performing hours and days of painstaking manual analysis. With security that thinks, security managers and their organisations can better leverage the human assets they have, making them better protected with criminals held at bay.