The last stage, data exfiltration, is the most dangerous to the enterprise, but accounts for just 3 percent of the activity detected.
That gives enterprises a window of opportunity to detect and clear out these attacks before they do damage -- but also explains why attackers can spend months inside a corporate network before they are caught.
Williamson warned, however, that just because 3 percent of attacks are in the exfiltration phase, doesn't necessarily mean that the average intrusion campaign spends very little time on exfiltration.
"It's not necessarily proportional to time," he said. "Once they get an exfiltration channel set it up, they can leave it open to steal data for a long while."
Vectra also analyzed ways the attackers stayed hidden.
The most common technique attackers used to hide their communications was fake browser activity, at 36 percent, and newly-generated domains, used 25 percent of the time. The anonymous TOR network was used 14 percent of the time, followed by external remote access at 13 percent.
Techniques used least frequently include pulling instructions, stealth HTTP posts, hidden HTTPS tunnels, malware updates, peer-to-peer networks, and hidden HTTP tunnels.
Hidden tunnels in particular are difficult to detect, since attackers can embed coded messages in text fields, headers, or other session parameters of otherwise normal traffic. To make detection even harder, the attackers can take advantage of encrypted traffic.
"We are able to identify hidden tunnels within this encrypted traffic without having to decrypt it," said Williamson.
Vectra does this by analyzing behavioral patterns.
It turns out, he added, that attackers prefer to hijack encrypted channels.
For example, encrypted HTTPS communications are preferred more than two to one over unencrypted HTTP for command-and-control communications.
The best news in this year's report is that the percent of threats that were involved in exfiltration -- 3 percent -- was about half of that seen last year.
But that could be because Vectra customers used the analysis of their networks to shut down the attacks before they hit that stage.
"They're using us to spot and identify the threats that are getting past the upstream security," said Williamson. "They will take this information and use it to respond to the threats."
Vectra did not break out the numbers for networks that they were analyzing for the first time.
Sign up for CIO Asia eNewsletters.