2016 Cyber Weapons Report: Looking for Attackers in All the Wrong Places
What tools do attackers use? The 2016 Cyber Weapons Report seeks to address this question by analyzing real-world attacks and other anomalous activity in organizations’ networks. This report focuses on the actions that occur after an initial intrusion, including command and control, reconnaissance, lateral movement, and data exfiltration.
The Cyber Weapons Report reveals that organizations that are focused solely on stopping malware are looking for attackers in all the wrong places. This is because only 1% of internal, east-west threats such as reconnaissance and lateral movement originate from malware. Legitimate apps and riskware (such as network scanners) generate 99% of east-west attack behavior. If organizations only look for malware, they won’t detect the malicious users that have infiltrated their network and are actively conducting an attack.
Data for the Cyber Weapons Report was gathered from LightCyber’s worldwide customer base. The threats described in the report were identified by detecting behavioral anomalies and performing Network-to-Process-Association (N2PA™) to determine which processes and users generated suspicious network traffic.
The most notable findings from the report include:
- Angry IP Scanner, a port and IP address scanner, accounted for 27.1% of incidents from the ten most common networking and hacking tools observed in the study.
- SecureCRT, an integrated SSH and Telnet client, topped the list of admin tools employed in attack behaviors, representing 28.5% of incidents from the ten most prevalent admin tools. Admin tools triggered lateral movement alerts such as new admin behavior, remote code execution and reverse connection (reverse shell), among others.
- TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2% of security events from the top ten remote desktop tools. TeamViewer was associated with command and control (tunneling) behavior, while other remote desktop tools, such as WinVNC, primarily triggered lateral movement violations.
- 70%+ of active malware used for the initial intrusion was detected only on one site, indicating that a large proportion was polymorphic malware or customized, targeted malware.
Network Traffic Analysis Reveals Tools Attackers Use
Our study compares the ratio of different attack behaviors, including malware, command and control, reconnaissance, lateral movement and exfiltration. The chart below shows the ratio of different attack behaviors.
Attackers can use everyday applications, such as admin, networking, and remote access tools, to explore a compromised network or to control devices. This is the “below the waterline” activity that has previously gone undetected, but the implications are clear: trying to detect active attacks by looking only for malware is not effective.
Besides the “below the waterline” tools identified in our report, there were a few applications that did not fit into an attack tool category, but they are nevertheless noteworthy. Here are a few of the potentially ship-sinking “really far below the waterline” tools:
- Web browsers, file transfer clients, and native system tools were often used for command and control and data exfiltration activity. Occasionally, malicious web browser extensions, not the browsers themselves, accounted for the attack behavior. Many malware variants use web browser processes to communicate to hosts on the Internet in order to avoid being blocked at the operating system level. Often, the most mundane applications, in the wrong hands, can be used for malicious purposes.
- Besides Perl, which was noted as a networking and hacking tool in our report, other scripting programs like Python, Cscript, and WScript generated suspicious traffic in customer networks. While the programs themselves are not malicious, attackers can leverage them to execute malicious scripts.
- Hola, a peer-to-peer VPN program, was observed in over ten organizations’ networks. Hola allows users to circumvent corporate and government web filters to access any website. However, the program also exhibits command and control behavior and, because it allows commercial (and potentially underhanded) customers to buy other Hola users’ bandwidth, it operates somewhat like a peer-to-peer botnet.
Download the 2016 Cyber Weapons Report
To learn all of the findings from our study, download the 2016 Cyber Weapons Report.