Almost all (99 percent) post-intrusion cyberattack activities don't employ malware, but leveraged standard networking, IT administration and other tools, according to Cyber Weapons Report 2016.
These tools are used by attackers on a directed or improvisational basis. They use it to penetrate a network and work towards successfully conducting a data breach or other malicious goals.
All these common networking tools enable attackers to conduct "low and slow" attack activities while avoiding detection. Sophisticated attackers using these tools are said to work undetected for an average of five months.
The highest frequency attacker activity found in this study was reconnaissance followed by lateral movement and then command and control communication.
"The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network," said Jason Matlof, executive vice president, LightCyber. "Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it's clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities."
More than 70 percent of active malware used for the initial intrusion was detected only on one site, indicating that it was polymorphic or customized, targeted malware.
Angry IP Scanner, a port and IP address scanner, accounted for 27.1 percent of incidents from the top ten networking and hacking tools observed in this study.
SecureCRT, an integrated SSH and Telnet client, was at the top of the list of admin tools employed in attacks, representing 28.5 percent of incidents from the ten most prevalent admin tools.
TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2 percent of security events from the top ten remote desktop tools.
Attackers leverage ordinary end-user programs like web browsers, file transfer clients and native system tools for command and control and data exfiltration activity.
Sign up for CIO Asia eNewsletters.