In a recent analysis of a quarter million endpoint devices in 40 enterprises, every single corporate network showed evidence of a targeted intrusion but most of the activity was not yet at the most-dangerous data exfiltration stage.
"No matter how small the network we looked at, no matter what industry, we always found some indicators of a targeted attack," said Wade Williamson, director of product marketing at Vectra Networks.
The company offers network monitoring technology that looks for traces of behaviors that indicate malicious activity. This is Vectra's second edition of its post-intrusion report, and includes nearly twice as many companies as the previous report. The companies analyzed range from mid-sized firms with less than 1,000 users up to large companies with 50,000 users or more, and include both existing customers of Vectra as well as prospects getting this kind of scan for the first time.
According to Williamson, what the report shows is that every single network has some threats that sneak by perimeter defenses.
Vectra classifies these threats into behavioral categories.
The first phase, which accounts for 32 percent of the detected threats, is the command and control phase, where the attackers are just starting to get their first foothold, and the infections communicate back to their controllers.
Not all of this activity is automated.
"A lot of times, you need to put real fingers on keyboards as you're in the process of digging deeper into the network," said Williamson. "Maybe I grabbed some user credentials, can I log into this system or that system. I'm directing the attack."
After this point, the attack can progress in a couple of different ways.
One is to set up a botnet. According to Vectra, 18 percent of the active identified threats are engaged in this type of behavior. The vast majority of these, 85 percent, were engaged in click fraud, 5 percent were used for brute-force attacks against other targets, and 4 percent for outbound denial-of-service attacks.
Another path for attacks is to progress further into the enterprise. For the attacks, the next stage is reconnaissance, which accounts for 13 percent of threat activity, followed by lateral movement, which accounts for 34 percent of activity.
The majority of lateral movement activity, 56 percent, consists of brute-force attacks. Next, at 22 percent, is automated replication, followed by Kerberos attacks, which use stolen credentials and account for 16 percent of lateral movement activity.
While the number of botnet-related threats increased just about proportionately with the increase in networks analyzed, the growth in reconnaissance behaviors was nearly four times higher, and the growth in lateral movement was almost seven times higher.
The last stage, data exfiltration, is the most dangerous to the enterprise, but accounts for just 3 percent of the activity detected.
That gives enterprises a window of opportunity to detect and clear out these attacks before they do damage -- but also explains why attackers can spend months inside a corporate network before they are caught.
Williamson warned, however, that just because 3 percent of attacks are in the exfiltration phase, doesn't necessarily mean that the average intrusion campaign spends very little time on exfiltration.
"It's not necessarily proportional to time," he said. "Once they get an exfiltration channel set it up, they can leave it open to steal data for a long while."
Vectra also analyzed ways the attackers stayed hidden.
The most common technique attackers used to hide their communications was fake browser activity, at 36 percent, and newly-generated domains, used 25 percent of the time. The anonymous TOR network was used 14 percent of the time, followed by external remote access at 13 percent.
Techniques used least frequently include pulling instructions, stealth HTTP posts, hidden HTTPS tunnels, malware updates, peer-to-peer networks, and hidden HTTP tunnels.
Hidden tunnels in particular are difficult to detect, since attackers can embed coded messages in text fields, headers, or other session parameters of otherwise normal traffic. To make detection even harder, the attackers can take advantage of encrypted traffic.
"We are able to identify hidden tunnels within this encrypted traffic without having to decrypt it," said Williamson.
Vectra does this by analyzing behavioral patterns.
It turns out, he added, that attackers prefer to hijack encrypted channels.
For example, encrypted HTTPS communications are preferred more than two to one over unencrypted HTTP for command-and-control communications.
The best news in this year's report is that the percent of threats that were involved in exfiltration -- 3 percent -- was about half of that seen last year.
But that could be because Vectra customers used the analysis of their networks to shut down the attacks before they hit that stage.
"They're using us to spot and identify the threats that are getting past the upstream security," said Williamson. "They will take this information and use it to respond to the threats."
Vectra did not break out the numbers for networks that they were analyzing for the first time.