In the wake of recent cyberattacks, including the high-profile breach of the Office of Personnel Management (OPM), a new report has found a massive surge in the number of targeted cyberattacks, calling into question whether organizations are prepared to meet this threat.
Vectra Networks, a leader in real-time detection of cyberattacks, recently released its June 2015 Post-Intrusion Report, a study of how cyberattacks proceed once past a computer’s defenses. The company found targeted cyberattacks have risen 580 percent in the area of lateral movement and 270 percent in the area of internal reconnaissance since the last report in November 2014, suggesting hackers are getting better at penetrating traditional computer defenses.
In addition to the rise in lateral movement and reconnaissance attacks, they found that overall, there was a 97 percent increase in threat detections.
Vectra distinguishes between two types of cyberattacks: opportunistic and targeted. In opportunistic attacks, attackers are just trying to infect as many computers as possible using botnets, large-scale networks that attack computers. Once inside, these viruses typically use click-fraud campaigns, spam or other tactics to get money. The report found these types of attacks, which it refers to as botnet monetization, increased by 84 percent since the last report.
Although opportunistic infections are generally less dangerous than targeted ones, the report warns that organizations and individuals should take them seriously, since opportunistic infections can change into targeted ones later.
“An infection that is simply mining bitcoins one day can easily turn to something more serious,” the report stated. “Additionally, a botnet could significantly impact the reputation of your network and organization if your network is observed emitting spam or distributed denial-of-service traffic.”
Targeted attacks almost always represent the greatest risk to an organization because they can expose customer data, financial information, intellectual property and trade secrets.
In targeted attacks, hackers seek out an organization because of its unique data or resources. Once attackers are inside the system, there are a number of actions they can carry out: lateral movement, command-and-control, internal reconnaissance and data exfiltration. The growth of lateral movement and internal reconnaissance actions is troubling because they are vital to the success of a targeted attack. The report suggested traditional cybersecurity defenses may not be enough to protect against the escalation in these areas.
“The fact that these categories are growing at the fastest rates indicates that there is either an overall increase in the amount of targeted attacks or that these attacks are comparatively more successful at penetrating traditional perimeter security controls (e.g., next-generation firewalls, malware sandboxes),” Wade Williamson, director of product marketing at Vectra Networks, told Homeland Security Today. “In either case, the data shows that organizations are facing an increased risk from targeted attacks compared to more opportunistic threats such as large-scale botnets.”
The other categories of threats identified by Vectra showed smaller increases: data exfiltration is up by 43 percent, while command and control of malware is only up six percent. However, the report found while command-and-control attacks overall have not increased, techniques within the field have changed. The report noted a more than 1,000 percent increase in the use of Tor—software that provides anonymity on the Internet.
“The growth in Tor and external remote access detections provides more data confirming an increase in targeted attacks,” Williamson said. “These are precisely the types of command and control you would expect to see in more targeted attacks because they give a remote attacker a combination of real-time control and anonymity.”
The report also examined hidden tunneling, a method allowing cyberattacks to hide within an allowed protocol. For data communication, most normal Internet traffic uses Hypertext Transfer Protocol (HTTP). However, Vectra found that for hidden tunneling attackers prefer HTTP Secure (HTTPS) over HTTP, suggesting that HTTPS adds an extra layer of protection for attackers.
Every company included in the report, regardless of industry, was the focus of at least one targeted cyberattack, which is troubling in light of recent hacks of high-profile companies demonstrating the damage that can be caused by a targeted attack.
“While attacks against retailers like Target and Home Depot have been well documented, the past six months has shown that all industries are at risk,” the report said, noting, “Multiple major breaches against healthcare giants Anthem and Blue Cross exposed a variety of patient data, and the attack against Sony Pictures exposed executive communications, leaked unreleased movies, and created an immense amount of damage.”
As the number of targeted cyberattacks against government agencies and organizations continues to increase and become more sophisticated, Vectra believes computer security will have to evolve in order to catch the inevitable cyberattacks that will penetrate their defenses.
“In the physical world, our skin keeps the vast majority of germs and bad things out of our body, but we also have a highly sophisticated immune system that responds to infections that get in,” Williamson said. “One doesn’t replace the other. In information security, most organizations have invested almost exclusively in thicker and thicker skin, becoming something of a rhinoceros without an immune system.”
“Organizations need to bring this more into balance with technology that not only repels external threats, but can detect and respond to internal threats,” Williamson added.
