Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Organizations in the Dark as Most Networks Actively Breached: Analysis

Twenty Organizations Were Analyzed in a Recent Study; All 20 Were Already Unknowingly Compromised

Twenty Organizations Were Analyzed in a Recent Study; All 20 Were Already Unknowingly Compromised

While most of the security industry is looking forward and making threat predictions for 2017, one vendor has stopped to analyze what has been happening in 2016 — and the reality is, we aren’t even aware of what is happening in our networks today.

Breach detection firm SS8 used its BreachDetect platform to analyze 20 different organizations across multiple industry sectors. BreachDetect was developed for and is used by law enforcement agencies conducting forensic examinations. None of the 20 organizations analyzed were known to be compromised before the analysis — but all 20 were found to have indicators of compromise. The results were published in a blog post last week.

IT Network“The findings,” Faizel Lakhani, President and COO of SS8, told SecurityWeek, “are based on the analysis of data from more than 5 billion high definition records (HDRs) of network activity gathered during a two-week risk assessment by SS8 using our sensors at ingress and egress points at enterprises, across five industries. The compromised devices were discovered by SS8. All the networks evaluated by SS8 (100%) showed some evidence of traffic tunneling.”

Lakhani pointed out that this alone does not necessarily mean that the entire network has been compromised, “since the attack could be at any stage, including reconnaissance. With many companies adopting application aware or next generation firewalls,” he added, “it has become difficult for hackers to get into the network through ports that used to be generally open (80, 443, 22,etc ). As a result, they have started to tunnel traffic over protocols that are allowed by the firewalls to get in, and if successful, get out with the data.”

However, all 20 organizations also showed signs of DNS-related exfiltration, and had evidence of malformed protocols in outbound traffic. The associated report (PDF) warns that many organizations are ill-prepared for DNS-based attacks. DNS exploit attacks, it says, “often use UDP traffic, which is generally trusted by firewalls and other preventative security tools. As such, they are unlikely to detect data exfiltration over DNS.”

It gives the use of an encrypted session without a certificate as an example of malformed protocols. “Using this evasion technique,” it says, “the data remains encrypted, but the endpoint is not validated. This indicates the traffic, while encrypted, may not be going to the intended recipient.”

While all 20 analyzed organizations showed these signs of potential compromise, many also displayed more specific indicators. Seventy-seven percent had one or more compromised devices beaconing out to a remote server. Eighty percent had applications built on top of bittorrent platforms.

Perhaps the two most surprising discoveries, however, is that 30% were infected with audio-recording malware; and 70% had compromised non-essential devices on the network. 

Advertisement. Scroll to continue reading.

The report compares the audio malware to the type of malware that hijacks webcams on laptops and desktops to capture login and other information; but in this case is used to eavesdrop and/or record conversations in real-time. “This type of attack is more common in the federal sector, where it can be especially harmful when used in state-sponsored attacks to gather intelligence,” it says.

The biggest warning for the future is that 70% of the organizations analyzed have compromised ‘non-essential’ devices. These are IoT devices, like smart TVs that display company information. If an IoT device is contained within a sandboxed or segmented part of the network, then the attacker cannot move laterally and the harm is limited. But, “most companies do not place these devices in a sandboxed network,” said Lakhani.

“What these findings demonstrate,” he told SecurityWeek, “is the network doesn’t lie. Most networks are actively breached and none of the companies in this study were aware that they were compromised until after we presented the results from our risk assessments. SS8’s network analytics and retrospection capabilities allow us to detect devices of interest that are exhibiting behaviors of compromise, which traditional network monitoring technologies cannot.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.