Beruflich Dokumente
Kultur Dokumente
Industry Report
2018 RSA Conference Edition
I am artificial intelligence.
The driving force behind the hunt for cyberattackers.
I am Cognito.
TABLE OF CONTENTS
Scoring.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
This report takes a multidisciplinary approach that spans all strategic phases of the attack lifecycle. By using the
AI-based Cognito™ platform to detect attacker behaviors, Vectra can identify exposure and risk within organizations as
well as indicators of damaging breaches.
Key findings This analysis provides important visibility into advanced phases
of attacks. The Cognito platform from Vectra detects threats that
• Across all industries, there was an average of 1,403 attacker
bypass perimeter security controls and observes the progression
behavior detections per 10,000 devices.
of the attack after an initial compromise.
• The highest volume of attacker behaviors per industry were in
higher education (3,715 detections per 10,000 devices) followed The Attacker Behavior Industry Report also presents data
by engineering (2,918 detections per 10,000 devices). This is by specific industries and highlights relevant differences
primarily due to command-and-control (C&C) activity in higher between industries.
education and reconnaissance activity in engineering.
• C&C activity in higher education is four-times above the industry From August 2017 through January 2018, Vectra monitored
average of 460 detections per 10,000 devices with 2,205 about 4.6 million devices and workloads. On these devices and
detections per 10,000 devices. These early attack indicators workloads, Vectra detected over 12 million different attacker
usually precede other stages and are often associated with behaviors that were condensed to 652,000 detections.
opportunistic botnet behaviors in higher education.
These detections were then triaged down to 373,000 devices and
• The government and technology industries have the lowest
workloads. Across all participating organizations, in a one-month
detection rates, with 496 and 349 detections per 10,000 devices,
period, over 6,000 devices and workloads were tagged as critical
respectively. This could indicate the presence of stronger
and over 9,000 were tagged as high-risk, enabling security
policies, mature response capabilities, and better control of the
analysts to respond fast to mitigate these threats.
attack surface.
• Botnet activity occurs most often in higher education, with
Operational efficiency and ROI
151 detections per 10,000 devices, which is five-times the
industry average of 33 detections per 10,000 devices. These Cybersecurity is an ongoing exercise in operational efficiency.
opportunistic attack behaviors leverage devices for external gain, Organizations have limited resources to address unlimited risks,
such as bitcoin mining or outbound spam. threats and attackers. This means that security products must
• Vectra customers achieved a 32X workload reduction for Tier-1 always be evaluated in terms of efficiency and their impact on the
analysts in detection, triage, correlation and prioritization of operational fitness of the organization.
security incidents, enabling them to focus on compromised
Time is the most important factor in detecting network breaches.
devices that pose the highest risk.
To mitigate damage, attacks must be detected in real time before
• When normalizing detections per 10,000 devices compared
key assets are stolen or damaged. However, detecting and
to the previous year, there is a sharp increase in every industry
responding to targeted attacks is a very time-consuming process
for C&C, reconnaissance, lateral movement, and data
and requires security teams to manually sort through mountains
exfiltration detections.
of alerts.
Background and methodology Using AI, Cognito from Vectra performs nonstop automated
threat hunting to detect attacker behaviors in real time. These
The data in this report is based on anonymized metadata from
behaviors are correlated with compromised devices, which are
Vectra customers who have opted to share detection metrics.
in turn correlated with common attack vectors and larger attack
Vectra identifies behaviors that indicate attacks in progress by
campaigns. Thousands of threat indicators are reduced to
directly monitoring all traffic and relevant logs, including traffic to
hundreds of attacker behaviors on dozens of devices that can be
and from the internet, internal traffic between network devices, and
part of broader attack campaigns.
virtualized workloads in private data centers and public clouds.
818
1,403 devices with
10,000 26,432
detections
detections
events flagged
devices observed
32x workload
reduction
Overall, Vectra reduced the investigation workload of security analysts by 32X, compared to manually investigating all attacker behaviors and compromised host devices.
Scoring
Cognito from Vectra monitors individual devices and workloads for Certainty is based on the degree of difference between the threat
extended periods of time and attributes detections to any device behavior that caused the detection and normal behavior. As such,
or workload that behaves suspiciously. The detection scores and the certainty score of an individual detection changes over time.
when they occurred are key inputs for the host device scores.
Since detections are dynamic, changes in their scores cause
Cognito scoring is comprised of two dynamic metrics – threat and changes to attributed host device scores. Critical and high scores
certainty scores – applied to individual detections and the host help security analysts prioritize their investigation efforts because
devices against which they are reported. they represent behaviors with the highest certainty and greatest
potential to cause significant damage.
The threat score of a detection expresses the potential for harm
if the security event is true (e.g. if spamming behavior or data Other factors that influence host device scores include repetition of
exfiltration was occurring). Because a threat is a measure of the an observed detection or a combination of detections that indicate
potential for harm, it reflects worst-case scenarios. a cyberattack is progressing toward its objective.
The certainty score of a detection reflects the probability that a Every detection type has a maximum lifespan, ranging from a
given security event occurred (e.g. the probability of spamming few days to a month. When a detection has no recurring activity,
behavior occurring, or the probability of data exfiltration occurring), its effect on a host device score will slowly decline to zero. A
given all the evidence observed so far. detection past its maximum lifespan becomes inactive and has no
impact on the host device score.
21 Hosts 13 Hosts
prioritized as high or critical, which indicates cyberattackers do not
often progress deep into the attack lifecycle.
LOW MEDIUM
350
300
250
200 187
167 170
163
156
150
128 134
110
100 86
75
62
55 51 55
50 43 40 43 41 46
37 34 33 37
28 31 26 32 25 31
21 24 19 20 25 22 19 22 18 22 23 20
11 11 13 9 10 13 13 11 8 10 11 5 7 4
0
tio
n ies rin
g ure ice
s nt re tio
n
tr ial ice
s
rin
g tai
l
ce
s
log
y
ca tilit ee eis erv rn me lth
ca ca us erv ctu Re rvi no
Ed
u y/U ng
in
t&
L S ve He
a Ed
u Ind S ufa Se ch
erg E n ial Go r al an Te
En me nc he Leg M
in Fin
a Hig
r ta
Ente
Rarely, but most importantly, a device can be manually controlled by a nefarious outsider. This is the most threatening case and it often
means the attack is targeted at a specific organization.
TOR 11 (2%)
Lateral movement
Lateral movement covers scenarios of lateral action meant to further a targeted attack. This can involve attempts to steal account
credentials or to steal data from another device.
It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data. This stage of
the attack lifecycle is the precursor to moving into private data centers and public clouds.
Ransomware 1 (0%)
Suspicious Admin 15 (5%)
SQL Injection 27 (9%)
Brute Force i2i 12 (4%)
Suspicious Remote Execution 5 (2%)
Higher education and engineering represent the highest percentage of detections across all industries, primarily due to a high volume of
C&C (higher education) and reconnaissance (engineering).
4000
168
3500
440
3000
310 751
2500
2000
1620 366
535
1500
536 1051
2205 665
908 556 602 256 502
733
1000
670 303 438
505 777 330
500 354
864 942 311 320
265 535
368 361 489 210 403
286 282
226 151
0
on es ng re ice
s en
t re on ial ice
s
rin
g tail
ce
s gy
cati tiliti eri eisu rv rnm hca cati ustr rv ctu Re rvi olo
du y/U gin
e
&L Se ve alt du Ind Se ufa Se c hn
E erg En t ial Go He rE al an Te
En en nc he Leg M
inm Fin
a Hig
r ta
Ente
140
120 59
100
80
18
60
16 50
40 52
25 39 8
15
11
20
20 6 6 20 19
15 16 13
7
0
nt l s il s y
tio
n ies rin
g ure ce
s
me ca
re tio
n
tria ce ing ta ce log
ca tilit ee eis e rvi rn lth ca us ervi c tur Re rvi no
Ed
u y/U ng
in
t&
L
lS ve He
a Ed
u Ind lS ufa Se ch
erg E en nc
ia Go he
r ga an Te
En inm Le M
Fin
a Hig
r ta
E nte
C&C by industry
Due to the association between botnet and C&C traffic, Cognito from Vectra found that higher education has the largest volume of C&C
behaviors, primarily related to suspicious HTTP.
Student systems often lack security controls that would normally detect and stop C&C behavior. Consequently, C&C attacks are much
easier to execute in student environments.
115
2000
297
85
1500
1069
1000
79
162
500
868 86
103 118
478 457 300
84 279 149
89 250
86 85 77
0
on es ng re es nt re on ial es ng tail es gy
ca
ti liti ri
eis
u ic e
thc
a
ca
ti
us
tr ic ri Re ic olo
u / Uti inee L erv rnm al u Ind erv ctu erv hn
Ed y g t& ial
S ve He rE
d
al
S ufa S c
erg En n nc Go he eg an Te
En in me a Hig
L M
r ta Fin
Ente
Malware Update Suspect Domain C&C Hidden DNS Tunnel C&C Hidden HTTP Tunnel
Cognito also detected large volumes of suspicious LDAP queries across the engineering industry. A scan of information in an Active
Directory server is an effective way for an attacker to determine what accounts are privileged inside an organization’s network and the
names of servers and infrastructure components.
Attackers prefer to use this form of reconnaissance because the risk of detection is relatively low and less noticeable than a port sweep or
a port scan.
1800
1600 109
1400 90
1200
1000
800 1104
400
106
600
128
400 111 89
161
304 239 579 69
99 139 112
200 124
97 66
229
112 159 136 111
74 101 69 107 65
0
nt l l
ion ies ing ure es
me are ion tria c es ing tai ce
s gy
ca
t tilit er eis rvi
c
lthc ca
t
us rvi tur Re rvi olo
Ed
u y/U gin
e
&L lS
e ern ea Ed
u Ind lS
e
ufa
c Se ch
n
erg En t ia ov H r ga an Te
En en nc G he Le M
inm Fin
a Hig
te r ta
En
Internal Darknet Scan Kerberos Account Anomaly Kerberos Account Scan Suspicious LDAP Query Port Scan
Port Sweep RDP Recon File Share Enumeration SMB Account Scan
In the services industry, Cognito detected a large volume of SMB brute-force behaviors, which indicates that a device is making multiple
login attempts, using the same accounts, to access a file server.
1200
1000
44
587
800
600 61
341
567 104
145
59
108
400 241
58
115 42
218 64 159
255
58 44 115 57
200 89
79 70 90
224 194
157 119 152
159 88 131 42 71 107 138
86
58 46
43 53
0
ion ies ing ure es nt are ion ial es ing tai
l
ice
s gy
at tilit er is ic e
hc at str ic tur Re olo
du
c
y/U
e e
Se
rv rnm lt du
c
Ind
u
Se
rv c Se
rv n
E gin &L ial ve ea E l ufa Te
ch
erg En en
t
nc Go H er ga an
En inm
h Le M
Fin
a Hig
r ta
Ente
Ransomware Suspicious Admin Brute Force i2i Automated Replication Kerberos Brute Force
Kerberos Client Anomaly Suspicious Kerberos Account Kerberos Server Access Suspicious Remote Desktop
Shell Knocker Client Shell Knocker Server SMB Brute Force Suspicious Remote Execution SQL Injection
The second most-common exfiltration behavior is data smuggling, which was observed primarily in the entertainment and leisure industry.
It is detected when an internal host acquires a large amount of data from one or more servers and sends significant volumes of data to an
external system.
400
350
300
250
293
200
150 48
502
100
137 438
108
79
50 57 47 320
39 26
34 489 210
16 17 14 14
0
t l l
ion ies ing ure es en are ion tria c es ing tai ce
s gy
ca
t tilit er eis rvi
c m lthc ca
t
us rvi tur Re rvi olo
Ed
u y/U gin
e
&L lS
e ern ea Ed
u Ind lS
e
ufa
c Se ch
n
erg En t ia ov H r ga an Te
En en nc G he Le M
inm Fin
a Hig
te r ta
En
Hidden HTTP Tunnel Exit Hidden HTTPS Tunnel Exit Smash and Grab Data Smuggler
Conclusion
This edition of the Attacker Behavior Industry Report expands the As sophisticated cyberattackers automate and increase the efficiencies
scope of analysis by increasing the number and average size of of their own technology, there is an urgent need to automate
participating organizations. They consisted of more than 4.6 million information security detection and response tools to stop threats faster.
devices, more than twice the number of devices in the previous report.
At the same time, there remains a global shortage of highly-skilled
Vectra would like to thank the organizations who opted-in to share cybersecurity professionals to handle detection and response at a
metadata that was analyzed for this report. Overall, the trends reasonable speed. As a result, the use of AI is essential to augment
represent an increase in detections and attacker behaviors, which existing cybersecurity teams so they can detect and respond to
are cause for concern. threats faster and stay well ahead of attackers.
Vectra, the Vectra Networks logo and Security that thinks are registered trademarks, and Cognito, the Vectra Threat Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other
brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.