attacker behavior industry report - attacker...inversely, the healthcare industry has a low volume...

Attacker Behavior Industry Report 2018 Black Hat Edition

I am artificial intelligence.

The driving force behind the hunt for cyberattackers.

I am Cognito.

Vectra | Attacker Behavior Industry Report | 3

TABLE OF CONTENTS

Background and methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Operational efficiency and ROI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Threat and certainty scores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Overall detection trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Threats by type per 10,000 host devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Threats by industry per 10,000 host devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


Key findings

• Across all industries, there was an average of 2,354 attacker

behavior detections per 10,000 host devices. Attacker behaviors

from January-June 2018 showed a sharp increase over the same

period in 2017.

• Overall, education had the most attacker behaviors at 3,958

detections per 10,000 host devices.

• Energy (3,740 detections per 10,000 host devices) and

manufacturing (3,306 detections per 10,000 host devices)

showed a large amount of detections due to high levels of lateral

movement. Energy and manufacturing are also large adopters of

industrial IoT (IIoT) devices and have IT/OT system integration.

• Command-and-control (C&C) activity in higher education

continues to persist three-times above the industry average of 725

per 10,000 host devices and exceeds every industry with 2,143

detections per 10,000 host devices. These early attack indicators

usually precede other phases of attacks and are often associated

with opportunistic botnet behaviors in higher education.

• The retail and healthcare industries have the lowest cyberattack-

detection rates, with 1,190 and 1,361 detections per 10,000 host

devices, respectively.

• Botnet activity occurs most often in higher education, with 183

detections per 10,000 host devices, which is three-times the

industry average of 53 detections per 10,000 host devices. These

opportunistic attack behaviors leverage host devices for external

gain, such as bitcoin mining or outbound spam.

• Vectra customers achieved a 36X workload reduction for Tier-1

analysts in detection, triage, correlation and prioritization of

security incidents, enabling them to focus on mitigating the

highest-risk threats.

• When normalizing attacker detections per 10,000 host devices

compared to the previous year, there is a sharp increase in every

industry for C&C, internal reconnaissance, lateral movement and

data exfiltration detections.

The Black Hat Edition of the Vectra® Attacker Behavior Industry Report provides a first-hand analysis of active and

persistent attacker behaviors inside cloud, data center and enterprise environments of Vectra customers from

January through June 2018.

The report examines a wide range of cyberattack detections and trends from a sample of more than 250 Vectra

customers with over 4 million devices per month and workloads from nine different industries.

The research in this report takes a multidisciplinary approach that spans all strategic phases of the attack lifecycle.

By using the AI-based Cognito™ platform to detect attacker behaviors, Vectra can identify exposure and risk within

organizations as well as indicators of damaging breaches.

Background and methodology

The information in this report is based on anonymized metadata

from Vectra customers who have opted to share detection metrics.

Vectra identifies behaviors that indicate attacks in progress by

directly monitoring all traffic and relevant logs, including traffic

to and from the internet, internal traffic between network host

devices, and virtualized workloads in private data centers and

public clouds.

This analysis provides important visibility into advanced phases

of attacks. The Cognito platform from Vectra detects threats that

evade perimeter security controls and observes the progression of

attacks after the initial compromise.

The 2018 Black Hat Edition of the Vectra Attacker Behavior

Industry Report also presents data by specific industries and

highlights relevant differences between industries.

From January through June 2018, Vectra collected data on more

than 4 million devices and workloads per month. On these

devices and workloads, Vectra detected over 10 million different

attacker behaviors that were condensed to 668,000 detections.

These detections were then triaged down to 420,000 host

devices and workloads. Across all participating organizations,

for the six-month period, over 32,000 devices and workloads were

tagged as critical in risk and over 63,000 were tagged as high

in risk, enabling security analysts to respond quickly to mitigate

these threats. On average, in a single month, 5,343 devices

and workloads were tagged as critical and 10,438 devices and

workloads were tagged as high.

Operational efficiency and ROI

Cybersecurity is an ongoing exercise in operational efficiency.

Organizations have limited resources to address unlimited risks,

threats and attackers. This means that security products must

always be evaluated in terms of their efficiency and impact on the

operational fitness of the organization.


It is important to note that attacker behaviors are still only indicators

of compromise. Security analysts must take final action to validate

whether an attack is real. Cognito provides security analysts with

the most important information in context, which can be used to

decide how to respond before an attack causes damage.

There was a wide variance in the sizes of the networks analyzed,

with the smallest consisting of a few hundred host devices and

workloads to the largest networks with more than 500,000.

To account for this variance, the data has been normalized to a

network with 10,000 host devices and workloads, making it easier

to compare the prevalence of threats in a network on a per capita

basis. Any host device with an IP address – including IoT devices,

smartphones, tablets and laptops – are monitored in addition to

servers and virtualized workloads.

Time is the most important factor in detecting hidden cyberattacks.

To mitigate damage, attacks must be detected in real time before

key assets are stolen or damaged. However, detecting and

responding to targeted attacks is a very time-consuming process

and requires security teams to manually sort through mountains

of alerts.

Using artificial intelligence (AI), the Cognito platform from Vectra

performs nonstop automated detection of threat behaviors in

real time. These behaviors are correlated with compromised host

devices, which are in turn correlated with common attack vectors

and larger attack campaigns. Thousands of threat indicators are

reduced to hundreds of attacker behaviors on dozens of host

devices that can be part of broader attack campaigns.

1,601devices withdetections10,000

devices observed

44,017events flagged

2,354detections

36x workloadreduction

Reduction in workload for Tier-1 security analysts

Overall, Vectra reduced the investigation workload of security analysts by 36X compared to manually investigating all attacker behaviors

and compromised host devices. There is a significant uptick in the total number of events flagged and nearly twice the number of

detections per 10,000 host devices observed.


Other factors that influence host device scores include repetition of

an observed detection or a combination of detections that indicate

a cyberattack is progressing toward its objective.

Every detection type has a maximum lifespan, ranging from a few

days to a month. When a detection has no recurring activity, its

effect on a host device score slowly declines to zero. A detection

past its maximum lifespan becomes inactive and has no impact on

the host device score.

Threat and certainty scores

The Cognito platform from Vectra monitors individual devices

and workloads for extended periods of time and attributes

detections to any device or workload that behaves suspiciously.

The detection scores and times they occurred are key inputs for

the host device threat-severity and certainty scores.

Cognito scoring is comprised of two dynamic metrics – threat and

certainty scores – applied to individual detections and the host

devices against which they are reported.

The threat score of a detection expresses the potential for harm

if the security event is true (e.g. if spamming behavior or data

exfiltration was occurring). Because a threat is a measure of the

potential for harm, it reflects worst-case scenarios.

The certainty score of a detection reflects the probability that a

given security event occurred (e.g. the probability of spamming

behavior occurring, or the probability of data exfiltration occurring),

given all the evidence observed so far.

Certainty is based on the degree of difference between the threat

behavior that caused the detection and normal behavior. As such,

the certainty score of an individual detection changes over time.

Since detections are dynamic, changes in their scores cause

changes to attributed host device threat-severity and certainty

scores. Critical and high scores help security analysts prioritize

their investigation efforts because they represent behaviors with the

highest certainty and greatest potential to cause significant damage.

HIGH

43 Hosts

CRITICAL

22 Hosts

LOW

185 Hosts

MEDIUM

25 Hosts

200

150

100

50

Critical severity per 10,000 High severity per 10,000 Medium severity per 10,000 Low severity per 10,000

Threat-severity and certainty scores per 10,000 host devices and workloads

17

28

22

131

January

21

48

25

190

June

23

46

28

210

May

28

53

29

227

April

24

43

26

183

March

20

42

23

177

February0

On average, for every 10,000 host devices and workloads

monitored in a one-month period, 22 were marked critical and

43 were marked high. These devices and workloads present the

greatest threat to the organization and require a security analyst’s

immediate attention.


When breaking down host device statistics across vertical industries, Vectra benchmarked the volume of host devices and workloads

prioritized for each threat-severity and certainty level, both in relation to each vertical and as compared to the combined industry threat-

severity and certainty scores.

For example, the number of low alerts in higher education is

almost twice the normal rate, which indicates attacker behaviors

that are opportunistic.

Inversely, the healthcare industry has a low volume of host devices

prioritized as high or critical, which indicates that cyberattacks in

healthcare do not often progress deep into the attack lifecycle.

Overall detection trends

• Detection rates: Organizations had an average of 1,707 host

devices with threat detections for every 10,000 host devices

in a one-month period. This represents a 36X reduction in the

number of events requiring investigation and triage.

• C&C represented the highest percentage of detections:

C&C traffic is a key component of a botnet attack and is an

enabler for later phases of a targeted attack. It is often the first

sign of an attack in targeted and opportunistic activity.

• Cognito from Vectra provides security teams with new

efficiencies: While the symptoms of targeted attacks remain

common, there are encouraging signs that security teams are

finding and stopping attacks before damage is done.

• Cryptocurrency mining continues to be the most

popular form of opportunistic attacks: While considered

opportunistic, cryptocurrency mining continues to experience

a surge in activity. These behaviors are seen predominantly in

higher education, where student systems are cryptojacked or

students perform the mining.

400

350

300

250

200

150

100

5023

43

26

156

2740 34

196

1624

12

102

Technology

ServicesRetail

1935

18

103

Other

31

63

28

221

Manufacturing

923

12

119

Healthcare

1825

17

121

Government

26

48

30

203

Entertainment &

Leisure

30

62

36

281

Energy

37

83

50

377

Education0

Critical severity per 10,000 High severity per 10,000 Medium severity per 10,000 Low severity per 10,000

Threats by type per 10,000 host devices

To dig deeper, Vectra provides a breakdown of detection statistics

by industry. The charts below show threat behaviors across the

attack lifecycle. These behaviors are strong indicators of exposure

and risk in an organization and enable security analysts to focus

their time and effort on what matters most.

While not every stage is necessary in an attack, each is

interrelated, and we often see an attack progress through the

lifecycle with the ultimate outcome of financial gain, data exfiltration

or data destruction.

The data in this report represents in-progress attacker behaviors.

Activity like C&C and reconnaissance occur in the earlier stages

of an attack, enabling organizations to quickly mitigate the

threat before it can spread. These are the most common

detected behaviors.


Behaviors like lateral movement occur later in the attack lifecycle as cybercriminals strengthen their foothold in an organization by stealing

administrative credentials to access servers. These types of detections warrant high-priority action from incident response teams to prevent

irreversible damage from a data exfiltration.

Botnets

Botnets are opportunistic attack behaviors in which a device makes money for its bot herder. The ways in which an infected host device can

be used to produce value can range from cryptomining to sending spam emails to producing fake ad clicks. To turn a profit, bot herders utilize

devices, their network connections and, most of all, the unsullied reputation of their assigned IP addresses.

800

500

600

700

400

300

200

10099

91

96

22

Botnet per 10,000 C&C per 10,000 Recon per 10,000

Lateral per 10,000 Exfil per 10,000

January

96

70

101

30

May

84

62

88

33

June

165

118

126

98

April

121

137

122

53

February

170

143

120

55

March0

10

6

8

4

2

2

4

3

Abnormal ad activity Brute-force attackAbnormal web activity Cryptocurrency mining

Outbound DoS Relay CommunicationOutbound port sweep Outbound spam

January

2

3

2

February

1

000

2

4

2

April

1

1

0

2

4

June

1

00

2

5

2

May

1

1

0

2

3

March

1

0

0

0

1

1

1

0

2

2


Command and control

C&C traffic occurs when a device appears to be under the control of an external malicious entity. Most often, the control is automated

because the device is part of a botnet or has adware or spyware installed.

Rarely, but most importantly, a device can be manually controlled by a nefarious outsider. This is the most threatening case, and it often

means the attack is targeted at a specific organization.

Reconnaissance

Reconnaissance attacker behaviors occur when a device is used to map-out the enterprise infrastructure. This activity is often part of a

targeted attack, although it might indicate that botnets are attempting to spread internally to other devices. Detection types cover fast

scans and slow scans of systems, network ports and user accounts.

100

60

80

40

20

22

3

External Remote Access Hidden DNS CnC Tunnel Hidden HTTP CnC Tunnel

Hidden HTTPS CnC Tunnel Malware Update Peer-to-Peer Pulling Instructions

Stealth HTTP Post TOR Activity Threat Intelligence Match CnC Suspicious Relay

January

6

2

25

32

15

April

21

3

3

6

31

14

May

24

35

15

29

14

June

25

3

32

21

3

February

8

2

25

34

17

March

25

25

0

350

100

120

80

60

40

20

8

27

File Share Enumeration Internal Darknet Scan Kerberos Account Scan Port Scan

Port Sweep RDP Recon SMB Account Scan Suspicious LDAP Query

January

23

6

38

3

9

25

February

35

10

39

4

9

8

28

March

40

11

18

4

7

7

34

April

35

12

15

3

9

39

May

30

10

15

8

4

9

28

June

30

8

14

11

6

0

137


Lateral movement

Lateral movement covers scenarios of lateral action meant to further a targeted attack. These can involve attempts to steal account

credentials or to steal data from another device.

It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data. This stage of

the attack lifecycle is the precursor to moving into private data centers and public clouds.

Data exfiltration

Data exfiltration behaviors occur when data is sent to the outside in a way that is meant to hide the transfer. Normally, legitimate data transfers do not

involve the use of techniques meant to hide the transfer. Indicators of exfiltration include the device transmitting the data, the location data is being sent

to, the amount of data being sent, and the method used to send it, such as a cloud file share.

120

80

100

60

40

20

20

5

5

24

Automated Replication Brute-Force Attack (internal) Kerberos Brute Force Kerberos Server Access

Ransomware File Activity Shell Knocker Client Shell Knocker Server SMB Brute-Force Attack

SQL Injection Activity Suspicious Admin Suspicious Remote Desktop Threat Intelligence Match Lateral

Suspicious Kerberos Account Suspicious Kerberos Client

January

18

6

22

5

22

February

23

8

6

23

5

21

March

34

5

22

5

19

April

25

8

6

25

5

32

May

26

7

6

6

24

4

21

June

27

6

0

9

6 7

10

67

6

60

50

40

30

20

10

13

22

Data Smuggler Hidden HTTP Exfil Tunnel Hidden HTTPS Exfil Tunnel Smash and Grab

January

28

22

February

33

13

1

March

34

16

April

30

15

1

May

35

17

2

June0


Threats by industry per 10,000 host devices

The bar chart below shows the volume of threat detections that were triggered in each industry. This view shows how each industry fared

per capita as well as which industries generated the most detections by volume.

Higher education and engineering represent the highest percentages of detections across all industries, primarily due to a high volume of

C&C (higher education) and reconnaissance (engineering).

Botnets by industry

The Cognito platform from Vectra observed an ongoing trend in cryptocurrency mining in higher education. Cryptocurrency mining has

experienced a surge in popularity among students who leverage free electricity in their dorms and cyberattackers who target student

systems with cryptojacking. Students do not have the same level of security controls as those found in enterprise organizations, making

them lucrative targets for botnet herders.

4000

3500

3000

2500

2000

1500

1000

500

848

265

659

734

731

930

391

664275

342

182

366

401

570

345

618

1318

992

287

674

371

187

335

452 399

490

145

342

839

999

215

526

933

1002

290

1499

488

540

604

2143

183

TechnologyService

RetailOther

Manufacturing

Healthcare

Government

Entertainment &

LeisureEnergy

Education0

Botnet per 10,000 C&C per 10,000 Recon per 10,000

Lateral per 10,000 Exfil per 10,000

83

200

160

180

140

100

80

60

40

20 5

96

7

14

3467

612

5

7

16

6

969

8

18

839

14

6

14 10

73

5

104

15

71

TechnologyService

RetailOther

Manufacturing

Healthcare

Government

Entertainment &

LeisureEnergy

Education0

Abnormal ad activity Abnormal web activity Cryptocurrency mining

Outbound DoS Outbound port sweep Outbound spam

Brute-force attack

Relay communication

56


C&C by industry

Due to the association between botnet and C&C traffic, the Cognito platform from Vectra found that higher education has the largest

volume of C&C behaviors, primarily related to external remote access and stealth HTTP posts.

Student systems often lack security controls that would normally detect and stop C&C behavior. Students are also more likely to visit

suspicious websites that harbor malware. Consequently, C&C attacks are much easier to execute in student environments.

900

700

800

600

500

400

300

200

100

137

242328

50

137

240

70

175

20

173

50

84

154

150

34

67

25

27

110

74

96

15935

79

9235

126

839

119

92

21

83

194

171

181

44141

2334

146

55

437

54

TechnologyService

RetailOther

Manufacturing

Healthcare

Government

Entertainment &

LeisureEnergy

Education0

62

External Remote Access Hidden DNS CnC Tunnel Hidden HTTP CnC Tunnel

Hidden HTTPS CnC Tunnel Malware Update Peer-to-Peer Pulling Instructions

Stealth HTTP Post TOR Activity Threat Intelligence Match CnC Suspicious Relay


Reconnaissance by industry

Across the board, the Cognito platform from Vectra detected a large volume of darknet scans, which are scans of nonexistent IP addresses

on the network. This is quite common for attackers as the first form of reconnaissance behavior. It occurs after C&C communications are

established as the attacker looks for targets deeper in the network.

The Cognito platform also detected large volumes of suspicious LDAP in the manufacturing industry. A scan of information in an Active

Directory server is an effective way for an attacker to determine what accounts are privileged inside an organization’s network and the

names of servers and infrastructure components.

Cyberattackers prefer to use this form of reconnaissance because the risk of detection is relatively low, especially compared to a port

sweep or a port scan.

1600

1200

1400

1000

800

600

400

20060

223

51

166

37

206

39

153

88

188

56

153

94

46

95

53

130

6248 411

41

98

45

643

243

65116

42

238

223

37

165

52544147

86

186

90

138

60

172

50

132 93

272

133

253

54

133

80

56

247

TechnologyService

RetailOther

Manufacturing

Healthcare

Government

Entertainment &

LeisureEnergy

Education0 53

File Share Enumeration Internal Darknet Scan Kerberos Account Scan Port Scan

Port Sweep RDP Recon SMB Account Scan Suspicious LDAP Query


Lateral movement by industry

In technology, services, manufacturing, financial and energy industries, the Cognito platform observed a large spike in Kerberos client

anomalous behaviors.

This indicates that a Kerberos account is being used differently than its learned baseline in several ways: Connecting to unusual domain

controllers using unusual devices; accessing unusual services; or generating unusual volumes of Kerberos requests using normal domain

controllers, usual devices and usual services.

In the technology, manufacturing and education industries, the Cognito platform detected a large volume of SMB brute-force behaviors,

which indicates that a device is making multiple login attempts with the same accounts to access a file server.

1200

1000

800

600

400

200

252

152

59

289

56

38

183

83

260

29

121

178

242

94

4637

92

162

25

79

4445

91

288

51

157

77

18180

86

87 90

44

71

254

33

282

96

235303

2729282973

37

244

211

93

59

TechnologyService

RetailOther

Manufacturing

Healthcare

Government

Entertainment &

LeisureEnergy

Education0

133

Automated Replication Brute-Force Attack (internal) Kerberos Brute Force Kerberos Server Access

Ransomware File Activity Shell Knocker Client Shell Knocker Server SMB Brute-Force Attack

SQL Injection Activity Suspicious Admin Suspicious Kerberos Account Suspicious Kerberos Client

Suspicious Remote Desktop Threat Intelligence Match Lateral


Exfiltration by industry

The most common exfiltration behavior is data smuggling, which was commonly observed across all industry verticals. It is detected

when an internal host device acquires a large amount of data from one or more servers and sends significant volumes of data to an

external system.

Smash-and-grab is the second most common exfiltration behavior across all industries. It is triggered when a host device transmits

unusually large volumes of data to destinations that are not considered normal for the environment within a short amount of time.

Conclusion

This edition of the Vectra Attacker Behavior Industry Report consisted of more than 4 million devices and workloads per month monitored over a

six-month period. Vectra would like to thank the organizations who opted-in to share metadata that was analyzed for this report. Overall, the trends

represent an increase in detections and attacker behaviors, which is cause for concern.

As sophisticated cybercriminals automate and increase the efficiencies of their own technology, there is an urgent need to automate attacker-

detection and response tools to stop threats faster.

At the same time, there remains a global shortage of highly skilled cybersecurity professionals to handle detection and response at a reasonable

speed. As a result, the use of AI is essential to augment existing cybersecurity teams so they can stay well ahead of attackers.

500

400

300

200

100

82

260

79

344

123

58

155

69

34

263

46

203

35

27

123

11293

22

37

194

267

TechnologyService

RetailOther

Manufacturing

Healthcare

Government

Entertainment &

LeisureEnergy

Education0

93

Data Smuggler Hidden HTTP Exfil Tunnel Hidden HTTPS Exfil Tunnel Smash and Grab

© 2018 All rights reserved. No part of the Vectra Attacker Behavior Industry Report may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, except in the case of brief quotations embodied in certain noncommercial uses permitted by copyright law.

Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and Cognito, Cognito Detect, Cognito Recall, the Vectra Threat Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.

Email [email protected] Phone +1 408-326-2020 vectra.ai

attacker behavior industry report - attacker...inversely, the healthcare industry has a low volume...

Documents