Standard Tools Leveraged in 99% of Post-Intrusion Activities: Report
As it turns out, attackers use standard networking, administration and other tools in most post-intrusion activities, and not malware, a recent report from behavioral attack detection provider LightCyber reveals.
Meant to uncover the top tools attackers use after they manage to penetrate a network, as well as those that allow them to successfully conduct a data breach or other malicious goals, LightCyber’s Cyber Weapons Report 2016 reveals that standard tools and not malware are used in 99% of post-intrusion activities.
According to the report, attackers commonly used malware to compromise a host, but turned to legitimate tools once inside the network. Moreover, the report shows that Angry IP Scanner, an IP address and port scanner, was the most common tool associated with anomalous attack behavior (27.1% of incidents involving the top ten networking and hacking tools), and that Nmap, a network discovery and security auditing tool, was second in line.
SecureCRT, an integrated SSH and Telnet client, was the admin tool most used in attacks, accounting for 28.5% of incidents from the ten most prevalent admin tools. The report also reveals that TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2% of the events from the top ten tools in its category.
The use of common networking tools to conduct “low and slow” activities allows attackers to remain undetected for an average of five months, LightCyber says, citing industry reports. In its report, LightCyber, which just completed a $20 million round of funding earlier this month, explains that reconnaissance was the most frequent activity that attackers performed once inside a network, followed by lateral movement and then command and control communication.
Attackers also use web browsers, file transfer clients, and native system tools for command and control and for data exfiltration activities, but could also employ malicious web browser extensions for this behavior. According to the report, malware variants also leverage web browser processes for communication purposes, to avoid being blocked at the operating system level.
LightCyber identified 1,109 total unique tools being used during attacks and says that, while the majority of them were benign processes and tools, malware does play its role in such incidents. However, the security company also points out that most of the malware discovered on endpoints did not match known signatures. Additionally, more than 70% of the detected active malware was found only on a single site, suggesting that attackers create target-specific variants to bypass signature-based prevention.
“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Jason Matlof, executive vice president, LightCyber. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities.”
Related: Verizon 2016 DBIR: What You Need to Know
Related: Breach Detection Time Improves, Destructive Attacks Rise: FireEye