All or 99% of post-intrusion cyberattack activities did not employ malware, but rather leveraged standard networking, IT administration and other tools that could be used by attackers on a directed or improvisational basis, according to the Cyber Weapons Report 2016 report released by LightCyber.
The report also found that over 70% of active malware used for the initial intrusion was detected only on one site, indicating that it was polymorphic or customized, targeted malware.
While malware was commonly used to initially compromise a host, once inside a network, malicious actors do not typically utilize malware. As an example, Angry IP Scanner, an IP address and port scanner, was the most common tool (accounted for 27.1 percent of incidents) associated with anomalous attack behavior, followed closely by Nmap, a network discovery and security auditing tool.
SecureCRT, an integrated SSH and Telnet client, topped the list of admin tools employed in attacks, representing 28.5% of incidents from the ten most prevalent admin tools. Admin tools triggered lateral movement anomalies such as new admin behavior, remote code execution and reverse connection (reverse shell), among others.
TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2% of security events from the top ten remote desktop tools. TeamViewer was associated with command and control (tunneling) behavior, while other remote desktop tools, such as WinVNC, primarily triggered lateral movement violations.
Attackers may leverage ordinary end-user programs like web browsers, file transfer clients and native system tools for command and control and data exfiltration activity. The most mundane applications, in the wrong hands, can be used for malicious purposes.
Attackers use common networking tools in order to conduct “low and slow” attack activities while avoiding detection. Sophisticated attackers using these tools—rather than known or unknown malware—can typically work undetected for an average of five months, according to multiple industry reports.
Once inside a network, an attacker must learn about the network that they’ve compromised and map its resources and vulnerabilities. The highest frequency attacker activity found in this study was reconnaissance followed by lateral movement and then command and control communication.
“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Jason Matlof, executive vice president, LightCyber. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities.”