In a recent analysis of a quarter million endpoint devices in 40 enterprises, every single corporate network showed evidence of a targeted intrusion but most of the activity was not yet at the most-dangerous data exfiltration stage.
"No matter how small the network we looked at, no matter what industry, we always found some indicators of a targeted attack," said Wade Williamson, director of product marketing at Vectra Networks.
The company offers network monitoring technology that looks for traces of behaviors that indicate malicious activity. This is Vectra's second edition of its post-intrusion report, and includes nearly twice as many companies as the previous report. The companies analyzed range from mid-sized firms with less than 1,000 users up to large companies with 50,000 users or more, and include both existing customers of Vectra as well as prospects getting this kind of scan for the first time.
According to Williamson, what the report shows is that every single network has some threats that sneak by perimeter defenses.
Vectra classifies these threats into behavioral categories.
The first phase, which accounts for 32 percent of the detected threats, is the command and control phase, where the attackers are just starting to get their first foothold, and the infections communicate back to their controllers.
Not all of this activity is automated.
"A lot of times, you need to put real fingers on keyboards as you're in the process of digging deeper into the network," said Williamson. "Maybe I grabbed some user credentials, can I log into this system or that system. I'm directing the attack."
After this point, the attack can progress in a couple of different ways.
One is to set up a botnet. According to Vectra, 18 percent of the active identified threats are engaged in this type of behavior. The vast majority of these, 85 percent, were engaged in click fraud, 5 percent were used for brute-force attacks against other targets, and 4 percent for outbound denial-of-service attacks.
Another path for attacks is to progress further into the enterprise. For the attacks, the next stage is reconnaissance, which accounts for 13 percent of threat activity, followed by lateral movement, which accounts for 34 percent of activity.
The majority of lateral movement activity, 56 percent, consists of brute-force attacks. Next, at 22 percent, is automated replication, followed by Kerberos attacks, which use stolen credentials and account for 16 percent of lateral movement activity.
While the number of botnet-related threats increased just about proportionately with the increase in networks analyzed, the growth in reconnaissance behaviors was nearly four times higher, and the growth in lateral movement was almost seven times higher.
Sign up for CIO Asia eNewsletters.