The study found that 99 percent of post-intrusion cyberattack activities did not employ malware, but rather leveraged standard networking, IT administration and other tools that could be used by attackers on a directed or improvisational basis. While malware was commonly used to initially compromise a host, once inside a network malicious actors did not typically utilize malware. As an example, Angry IP Scanner, an IP address and port scanner, was the most common tool associated with attack behavior, followed closely by Nmap, a network discovery and security auditing tool.
Attackers use common networking tools in order to conduct “low and slow” attack activities while avoiding detection. Sophisticated attackers using these tools — rather than known or unknown malware — can typically work undetected for an average of five months, according to multiple industry reports.
Once inside a network, an attacker must learn about the network that they’ve compromised and map its resources and vulnerabilities. The highest frequency attacker activity found in this study was reconnaissance, followed by lateral movement and then command and control communication.
“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Jason Matlof, executive vice president, LightCyber. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities.”
Results for the study were tabulated over six months, analyzing end-user networks totaling 100,000s of endpoints worldwide. Organizations ranged in size from 1,000 to 50,000 endpoints, spanning industries such as finance, healthcare, transportation, government, telecommunications and technology.
The study analyzed network activity gathered from the LightCyber Magna™ Behavioral Attack Detection platform, which is uniquely capable of automatically discovering the source software executables associated to the anomalous network behavior observed. Magna is the only known solution to combine signature-less full network analysis with agentless endpoint technology that links a network activity to an endpoint process. LightCyber Magna also automatically analyzes these executable files via the Magna Cloud Expert System to augment the security operations investigative processes. The most common attack tools observed in the study were classified into the following four categories: networking and hacking tools, admin tools, remote desktop tools and malware.
For a copy of the report, visit the LightCyber website.
Report findings include:
• 99 percent of post-intrusion internal attack activities did not originate from malware, but rather from legitimate applications or riskware, such as network scanners.
• More than 70 percent of active malware used for the initial intrusion was detected only on one site, indicating that it was polymorphic or customized, targeted malware.
• Angry IP Scanner, a port and IP address scanner, accounted for 27.1 percent of incidents from the top ten networking and hacking tools observed in the study.
• SecureCRT, an integrated SSH and Telnet client, topped the list of admin tools employed in attacks, representing 28.5 percent of incidents from the ten most prevalent admin tools. Admin tools triggered lateral movement anomalies such as new admin behavior, remote code execution and reverse connection (reverse shell), among others.
• TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2 percent of security events from the top ten remote desktop tools. TeamViewer was associated with command and control (tunneling) behavior, while other remote desktop tools, such as WinVNC, primarily triggered lateral movement violations.
• Attackers may leverage ordinary end-user programs such as web browsers, file transfer clients and native system tools for command and control and data exfiltration activity. The most mundane applications, in the wrong hands, can be used for malicious purposes.
The LightCyber Magna platform uses behavioral profiling to learn what is normal on the network and endpoints, and thereby detect anomalous attacker behaviors that are by necessity required to perpetrate a successful breach or conduct malicious goals, including command and control, reconnaissance, lateral movement and data exfiltration. These behaviors can be identified early to reduce attacker dwell time and curtail attack activity. At the same time, Magna can identify harmful activity from insiders — rogue or unaware employees or contractors — that is either intentionally malicious or unknowingly dangerous. Magna presents a small number of actionable alerts with supporting contextual and investigative details to greatly enhance the efficiency of a security operations team in its detection and remediation operations.
LightCyber is a leading provider of Behavioral Attack Detection solutions that provide accurate and efficient security visibility into attacks that have slipped through the cracks of traditional security controls. The LightCyber Magna™ platform is the first security product to integrate user, network and endpoint context to provide security visibility into a range of attack activity. Founded in 2012 and led by world-class cyber security experts, the company’s products have been successfully deployed by top-tier customers around the world in industries including the financial, legal, telecom, government, media and technology sectors. For more information, please visit the LightCyber website or follow us on Twitter, LinkedIn and Facebook.