If your organization hasn’t suffered a data breach in the past twelve months, consider yourself lucky.
Almost three-quarters of the Global 2000 have experienced five or more network-based security incidents within the past 12 months, according to a recent Frost & Sullivan report entitled Network Visibility Survey. Additionally, some 60 percent of companies surveyed from the Ponemom Institute and Kilpatrick Townsend report a loss of some company secrets and intellectual property. Clearly, the stakes are high and everyone is at risk.
A reasonable question to ask, then, is: With so much at stake, why is the failure rate of security technology so high? One answer may come from a recent report on cyber weapons published by LightCyber*. The report shows that computer “malware”—often fingered as the culprit in cybersecurity attacks, and the focus of much security technology–is not a factor, generally, in post-intrusion network attack activity. In other words, it’s not driving the process an attacker uses after hacking into a network to steal or damage assets.
Instead, the report found that once an attacker had a foothold in a network, 99% of nefarious activity involved the use of standard networking, IT administration and other tools that could be used by attackers on a directed or improvisational basis. No malware! To be sure, malware may often be part of the initial intrusion, but once that has occurred, we saw very little evidence of malware being used.
At the same time, most security groups are still primarily focused on malware. Almost all internal-detection systems used by organizations revolve around identifying malicious software threats defined by a known technical artifact, such as a signature, hash or the exhibition of a particular behavior from a pre-established list. Instead, our research showed that virtually no post-intrusion attack activity involved such threats.
Malware, of course, may be involved in the creation of botnets or even advance persistent threats that are significant security risks. Even the detrimental effects malware has on system performance poses an important issue. Detecting and removing malware is still important. Yet, focusing on malware will not stop a data breach once an attacker has gained access to a network.
Attackers use common networking tools in order to conduct “low and slow” attack activities while avoiding detection. Sophisticated attackers using these tools—rather than known or unknown malware—can typically work undetected for an average of five months, according to multiple industry reports.
When an attacker lands in a new network, he has to quietly look around and gain an understanding of the unfamiliar environment. In particular, he needs to know where valuable assets are located and how to gain access to them. The attacker needs to know how to create a path from his initial foothold of control to the assets. What other machines are on the network? Where are they located? How are they configured? Are there any vulnerabilities? All of these things and more must be answered. To do this, an attacker relies on standard tools and utilities. Since these are in regular use in most networks, an attacker’s employment of them will not draw notice.
Attackers often rely on network scanners and even native operating-system tools to perform reconnaissance. Our cyber-weapons report reveals that SecureCRT, an integrated SSH and Telnet client, topped the list of admin tools used for lateral movement, representing 28.5 percent of incidents from the ten most prevalent admin tools. TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2 percent of security events from the top ten remote desktop tools. TeamViewer was associated with command and control (tunneling) behavior, while other remote desktop tools, such as WinVNC, primarily aided lateral movement.
Clearly, it would be difficult to ban the use of these tools internally, as they all have a legitimate purpose. Even if they were banned, attackers would find other ways to conduct their business while staying undetected. A better approach would be to use behavioral profiling to establish a baseline of learned good behavior for each user and device. From this vantage, it is possible to detect anomalous behavior that may be indicative of an attack.
To find an active attacker and thwart a data breach, one needs to understand how an attacker operates. By detecting their operational activities, attackers can be caught early and a breach or other significant damage curtailed.
*For a full list of all Battery investments and exits, please click here.