Andrea Danti - Fotolia

Cyber attackers prefer to encrypt communications, report shows

Encryption provides an additional layer of protection to hide cyber attackers' traffic, resulting in a preference for HTTPS

Cyber attackers are using encryption to hide their communications, a study by Vectra Networks has revealed.

A comparison of hidden tunnels in encrypted traffic compared with clear traffic shows attackers favour HTTPS over HTTP for hidden tunnels, according to the latest Post-Intrusion Report.

If an HTTP session is carrying a hidden second conversation, there will be discernible patterns in the timing, volume and sequencing of traffic, according to Vectra Networks.

“By learning these patterns, Vectra has built models to identify hidden tunnels in HTTP, HTTPS and DNS,” the report said.

This approach does not require direct visibility into the payload of the traffic, which means it is possible to detect hidden tunnels with HTTPS without decrypting the traffic, enabling a direct and equal comparison of hidden tunnels in both encrypted and clear traffic.

“Encryption provides an additional layer of protection to hide the attacker’s traffic,” the report said.

The study of 40 customer networks looks at threats that evade perimeter defenses and what attackers do once they get inside the target network.

The report includes detections of all phases of a cyber attack and exposes trends in malware behaviour, attacker communication techniques, internal reconnaissance, lateral movement and data exfiltration.

According to the report, there was non-linear growth in lateral movement (580%) and reconnaissance detections (270%) that outpaced the 97% increase in overall detections compared with 2014.

These behaviours are significant as they show signs of targeted attacks that have penetrated the security perimeter, the report said.

Read more about the dark web

While command-and-control communication showed the least amount of growth (6%), high-risk Tor and external remote access detections grew significantly, with Tor detections increasing by more than 1,000% compared with 2014 and accounting for 14% of all command-and-control traffic, while external remote access shot up by 183% compared with 2014.

“The increase in lateral movement and reconnaissance detections show that attempts at pulling off targeted attacks continue to rise,” said Oliver Tavakoli, chief technology officer at Vectra Networks. “The attackers’ batting average has not changed much, but more batters invariably has translated into more hits.”

The study also found that botnet monetisation behaviour grew linearly compared with 2014 and advertisement click-fraud was the most commonly observed botnet monetisation behaviour, representing 85% of all botnet detections.

In the category of lateral movement detections, brute-force attacks accounted for 56%, automated replication 22% and Kerberos-based attacks 16%. Although only the third most frequent detection, Kerberos-based attacks grew non-linearly by 400% compared with 2014.

Of internal reconnaissance detections, port scans represented 53%, while darknet scans represented 47%, which is fairly consistent with behaviour detected in 2014, the report said.

According to Vectra Networks, the report offers a first-hand analysis of active network threats that bypass next-generation firewalls, intrusion prevention systems, malware sandboxes, host-based security systems and other enterprise defences.

The study includes data from organisations in education, energy, engineering, financial services, government, healthcare, legal, media, retail, services and technology.

Read more on Hackers and cybercrime prevention