Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Hackers Use Basic Tools After Breaching Your Network

Standard Tools Leveraged in 99% of Post-Intrusion Activities: Report

Standard Tools Leveraged in 99% of Post-Intrusion Activities: Report

As it turns out, attackers use standard networking, administration and other tools in most post-intrusion activities, and not malware, a recent report from behavioral attack detection provider LightCyber reveals.

Meant to uncover the top tools attackers use after they manage to penetrate a network, as well as those that allow them to successfully conduct a data breach or other malicious goals, LightCyber’s Cyber Weapons Report 2016 reveals that standard tools and not malware are used in 99% of post-intrusion activities.

According to the report, attackers commonly used malware to compromise a host, but turned to legitimate tools once inside the network. Moreover, the report shows that Angry IP Scanner, an IP address and port scanner, was the most common tool associated with anomalous attack behavior (27.1% of incidents involving the top ten networking and hacking tools), and that Nmap, a network discovery and security auditing tool, was second in line.

SecureCRT, an integrated SSH and Telnet client, was the admin tool most used in attacks, accounting for 28.5% of incidents from the ten most prevalent admin tools. The report also reveals that TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2% of the events from the top ten tools in its category.

The use of common networking tools to conduct “low and slow” activities allows attackers to remain undetected for an average of five months, LightCyber says, citing industry reports. In its report, LightCyber, which just completed a $20 million round of funding earlier this month, explains that reconnaissance was the most frequent activity that attackers performed once inside a network, followed by lateral movement and then command and control communication.

Attackers also use web browsers, file transfer clients, and native system tools for command and control and for data exfiltration activities, but could also employ malicious web browser extensions for this behavior. According to the report, malware variants also leverage web browser processes for communication purposes, to avoid being blocked at the operating system level.

LightCyber identified 1,109 total unique tools being used during attacks and says that, while the majority of them were benign processes and tools, malware does play its role in such incidents. However, the security company also points out that most of the malware discovered on endpoints did not match known signatures. Additionally, more than 70% of the detected active malware was found only on a single site, suggesting that attackers create target-specific variants to bypass signature-based prevention.

“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Jason Matlof, executive vice president, LightCyber. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities.”

Related: Verizon 2016 DBIR: What You Need to Know

Related: Breach Detection Time Improves, Destructive Attacks Rise: FireEye

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...