Survey Reports Bad-Boy Behavior After The Breach

We know that is anything but secure, and the situation appears to be worsening. However, a new study from Vectra Networks – the self-proclaimed ‘leader in real-time detection of in-progress cyber attacks’ – provides a fascinating view of what happens after your cyber defenses have been breached. According to the second edition of its Post-Intrusion Report, there was non-linear growth in (580%) and (270%) detections that outpaced the 97% increase in overall detections compared to last year.

Although the sample size was relatively small – just 42 customers – it did represent data collected from more than 250,000 hosts over a six-month period, said Vectra’s Wade Williamson, Director of Product Marketing. Like most other security vendors, he told IT Trends & Analysis that it’s a matter of when, not if there will be a security breach. However, as soon as they get in, they’re going to move laterally.

“The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise,” said Oliver Tavakoli, CTO, in a prepared statement. “The attackers’ batting average hasn’t changed much, but more at-bats invariably has translated into more hits.”

Williamson said his company is looking for threats in new ways and new places. Our model is considerably different, pulling security deeper into the network, to see not just how traffic is going to the Internet, but the 90% that is staying inside. “We’re still looking at packets… but we’re applying data science to those data flows”, he said.

What Vectra is seeing year-over-year is an uptake in those two aspects — laterally and reconnaissance – proportionately they’re growing way faster than others, and these are the hardest to deal with. “Once they get in, they literally have free reign.”

Williamson calls the lateral movement as probably the most important aspect for an advanced attack. “People are getting in the front door by avoiding analyses… this is essentially us being able to watch inside and notice that there is a particular node… spreading… without having to recognize a particular payload… and do this for anything. It doesn’t matter what type of malware it is.”

As the run up to – and immediately following – April’s RSA Conference, a plethora of surveys surfaced to highlight just how bad the security environment is. Cisco reported that customers are only just starting to come to terms with the wide gap between perception and protection, and security budgets – and skills – aren’t where they need to be.

Cisco’s latest data offers a disturbing look at why cyber security is in such a perilous state:

-54% of breaches remain undiscovered for months;

-60% of data is stolen in hours; and,

-100% of companies connect to domains that host malicious files or services.

It estimates the global cybercrime market is worth somewhere between $450 billion and $1 trillion, and details how industrial hackers monetize the opportunities:

-Social Security $1;

-DDOS as a Service ~$7/hour;

-Medical Record >$50;

-Bank Account Info >$1000 depending on account type and balance;

-Credit Card Data $0.25-$60;

-Mobile Malware $150;

-Spam $50/500K emails;

-Malware Development $2500 (commercial malware);

-Exploits $1000-$300K; and,

-Facebook Account $1 for an account with 15 friends.

According to a recent PwC study, security compromises increased 64% in 2014. A rosier – or at least less bleak – prediction says the cyber security market is ‘currently undergoing unprecedented growth and development’, and will account for $75.4 billion globally, this year.

Of course there are much newer reports to keep CISOs – and everybody else who uses a computer, smartphone, wearable or IoT – up at night. By 2019 cybercrime will cost businesses over $2 trillion, almost four times the estimated cost of breaches in 2015. Nearly 60% of anticipated data breaches worldwide in 2015 will occur in North America, but this proportion will decrease over time as other countries become both richer and more digitized. The average cost of a data breach in 2020 will exceed $150 million by 2020, as more business infrastructure gets connected.

While ‘bad guys’, including governments like China and North Korea pose increasingly sophisticated – and growing — threats, insider threats outrank external attacks, according to a new IBM report. According to Big Blue, 55% of all attacks are carried out by malicious insiders or inadvertent actors, also known as insider threats.

In 2014, organizations monitored by IBM Security Services experienced approximately 81 million security events, amounting to over 12,000 attacks and 109 incidents for each client. The Index proved statistically that every company is being compromised, and “Unauthorized Access” led all security incidents.

RSA, EMC’s security division, just released its inaugural Cybersecurity Poverty Index that assessed the maturity of their cybersecurity programs leveraging the NIST Cybersecurity Framework (CSF). Unsurprisingly, the results were alarming: nearly 75% surveyed lack the maturity to address cybersecurity risks; 83% of large organizations ranked themselves as below “developed” in maturity; and up to 45% admitted inability to measure, assess and mitigate cybersecurity risk.

“This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats,” stated RSA President Amit Yoran, President. “Despite investment in these areas, however, even the biggest organizations still feel unprepared for the threats they are facing.

“We believe this dichotomy is a result of the failure of today’s prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”

Cybersecurity has even invaded the boardroom, with more than 80% of directors of public companies recently reporting that it is discussed at most or all boardroom meetings. However, 66% admitted (confessed?) they are not fully confident their companies are properly secured against cyberattacks.

For really current – as in to be released sometime today – Waratek, a ‘pioneer in runtime application self-protection’ – just reported that two-thirds of senior security professionals polled at the recent Gartner Security and Risk Management Summit said they do not remediate 60% of the security vulnerabilities discovered by software application security testing (SAST) tools. Half said it takes their organization three months (23%) or more (27%) to fix security flaws in their applications. The company stated that these findings ‘illustrate a painful reality — organizations are only able to fix 40% or less of the flaws they know exist, primarily because application security testing tools are unable to remediate the vulnerabilities they detect.’

One area that stood out to Williamson in this year’s was the data on how attackers are using encryption. Vectra says it is the first to study hidden tunnels without decrypting SSL traffic by applying data science to network traffic. A comparison of hidden tunnels in encrypted traffic vs. clear traffic shows that HTTPS is favored over HTTP for hidden tunnels, indicating an attacker’s preference for encryption to hide their communications.

“This is one of the things I’m particularly proud of in the report.” He said so many sites are going to SSL, but the challenge is what are doing to ensure that traffic is not hiding a secret tunnel.

Author: Steve Wexler

Share This Post On


  1. Survey Reports Bad-Boy Behavior After The Breach - Waratek - […] Read the full article […]

Leave a Reply