Andrea Danti - Fotolia
If an HTTP session is carrying a hidden second conversation, there will be discernible patterns in the timing, volume and sequencing of traffic, according to Vectra Networks.
“By learning these patterns, Vectra has built models to identify hidden tunnels in HTTP, HTTPS and DNS,” the report said.
This approach does not require direct visibility into the payload of the traffic, which means it is possible to detect hidden tunnels with HTTPS without decrypting the traffic, enabling a direct and equal comparison of hidden tunnels in both encrypted and clear traffic.
“Encryption provides an additional layer of protection to hide the attacker’s traffic,” the report said.
The study of 40 customer networks looks at threats that evade perimeter defenses and what attackers do once they get inside the target network.
The report includes detections of all phases of a cyber attack and exposes trends in malware behaviour, attacker communication techniques, internal reconnaissance, lateral movement and data exfiltration.
According to the report, there was non-linear growth in lateral movement (580%) and reconnaissance detections (270%) that outpaced the 97% increase in overall detections compared with 2014.
These behaviours are significant as they show signs of targeted attacks that have penetrated the security perimeter, the report said.
Read more about the dark web
- The dark web is a key conduit for the malware industry to refine and distribute its products and services, say security researchers.
- Darknet technologies have legitimate security applications for business, says security investigator.
- In November 2014, international law enforcers took down several dark markets operating on hidden Tor networks and arrested 17 cyber crime suspects.
While command-and-control communication showed the least amount of growth (6%), high-risk Tor and external remote access detections grew significantly, with Tor detections increasing by more than 1,000% compared with 2014 and accounting for 14% of all command-and-control traffic, while external remote access shot up by 183% compared with 2014.
“The increase in lateral movement and reconnaissance detections show that attempts at pulling off targeted attacks continue to rise,” said Oliver Tavakoli, chief technology officer at Vectra Networks. “The attackers’ batting average has not changed much, but more batters invariably has translated into more hits.”
The study also found that botnet monetisation behaviour grew linearly compared with 2014 and advertisement click-fraud was the most commonly observed botnet monetisation behaviour, representing 85% of all botnet detections.
In the category of lateral movement detections, brute-force attacks accounted for 56%, automated replication 22% and Kerberos-based attacks 16%. Although only the third most frequent detection, Kerberos-based attacks grew non-linearly by 400% compared with 2014.
Of internal reconnaissance detections, port scans represented 53%, while darknet scans represented 47%, which is fairly consistent with behaviour detected in 2014, the report said.
According to Vectra Networks, the report offers a first-hand analysis of active network threats that bypass next-generation firewalls, intrusion prevention systems, malware sandboxes, host-based security systems and other enterprise defences.
The study includes data from organisations in education, energy, engineering, financial services, government, healthcare, legal, media, retail, services and technology.