a ox ng Cyberattacks: What happens post-intrusion? The Vectra Networks June 2015 Post-Intrusion Report provides first-hand insight and analysis of active and persistent network threats inside organizations. THE STRATEGIC PHASES OF ATTACK TARGETED ATTACKS 100% of networks showed signs attacks 3% penetratrated the security perimeter 13% Threats detected 34% by category 18% LATERAL MOVEMENT INTERNAL RECONNAISSANCE 13% BOTNET ACTIVITY 18% LATERAL MOVEMENT HIDDEN TUNNELS SPIKE Sandbox Firewall U/I MOST DANGEROUS DETECTIONS ARE ON THE RISE 270% Reporting BOTNET 43% 6% LOGIN LATERAL MOVEMENT EXFILTRATION Firewall COMMAND & CONTROL U/I Laptop Tablet Smartphone 580% Laptop Percentage Tablet in the numberSmartphone of growth detections from 2Q14 to 2Q15 LATERAL MOVEMENT Server Vectra cloud Vectra cloud IPS Lateral Movement Attackers send hidden communicaitons using HTTP, HTTPS and DNS Exfiltration Used to spread malware and authentication-based attacks such as using stolen passwords. Theft of data Command & Control Exfiltration DNS HTTPS IPS HTTP 580% Five threat trends to watch RECONNAISSANCE 270% 84% BOTNET 43% EXFILTRATION Switches Vectra Central Manager 6% COMMAND & CONTROL 1 Server Reconnaissance Internal reconnaissance performed by an attacker inside the network. Switches Vectra Central Manager Abnormal web activity TARGETED THREATS LOGIN Database 97% Increase Outbound scan OPPORTUNISTC THREATS A wide range of malicious communication techniques EXFILTRATION 32% RECONNAISSANCE Outbound DoS Command & Control INTERNAL RECONNAISSANCE 5% 4% 3% 2% Brute-force attack COMMAND AND CONTROL 34% 85% Abnormal ad activity How criminals make money with ad click- fraud, spamming and DDoS attacks. BOTNET ACTIVITY EXFILTRATION 32% Router84% Top five activities of botnets Botnet Monetization COMMAND AND CONTROL 3% BOTNETS FOLLOW THE MONEY LOGIN Lateral Movement Detections Database Sandbox Kerberos-based attacks grew 400% Router Reporting compared to last year. Bruce-force attacks 56% accounted for of lateral movement detections. 2 3 Internal Reconnaissance Firewall U/I Laptop Tablet 53% 47% Smartphone Server Vectra cloud 4 High-risk Tor detections jumped by more than Port scans represented Vectra Central Manager Command and Control Switches Database 1200% Router Sandbox Firewall External remote access jumped by 183% Reporting Vectra Central Manager U/I Hidden pipelines of information Database Laptop Sandbox LOGIN Firewall U/I Command and control and exfiltration are increasingly hidden in tunnels with in HTTP, HTTPS and DNS, with Router LOGIN Darknet scans represented IPS Reporting Vectra Central Manager HTTPS being the Tablet Smartphone Server most popular channel. Laptop 5 Switches Vectra cloud IPS Botnets Tablet Botnet monetization behavior grew linearly compared to last year. Ad clickfraud represented Smartphone Server Vectra cloud 85% of all botnet detections. Switches Know what happens when attackers breach the perimeter. Get the full Post-Intrusion Report at http://info.vectranetworks.com/post-intrusion-report-2015 or email us at info@vectranetworks.com. www.vectranetworks.com IPS