Today’s reality is that security breaches are a given. Sophisticated attackers are too numerous and too determined to get caught by perimeter defenses. A new VMware Threat Analysis Unit report bears this out. In North-by-South-West: See What Evaded Perimeter Defenses, the findings are clear: despite a cadre of perimeter defenses being deployed, malicious actors are actively operating in the network. The research presents a clear picture of how attackers evade perimeter detection, infect systems, and then attempt to spread laterally across the network to execute their objective.
Watch Chad Skipper, Global Security Technologist, provide an overview of the findings.
Key insights include:
- The best offense is to evade defense: Threat actors’ first order of business is to evade detection. Evasion of defense systems is the most encountered MITRE ATT&CK ® tactic used by malware, followed by execution and discovery.
- Email attacks lead the pack: Email continues to be used as the most common attack vector to gain initial access with more than four percent of all business emails analyzed contained a malicious component
- ZIP-ing through defenses: More than half of all malicious artifacts analyzed were delivered by a Zip archive. Attackers have massively scaled up operations via an email campaign weaponizing ZIP file attachments with malicious content.
- Separating the beaconing signal from the noise: More than half of the network anomalies detected are unusual beaconing, followed by connections on suspicious ports and anomalous connections between two hosts.
- Mining for trouble: In the corporate network, events associated with crypto mining activity account for a quarter of all known threats.
- In the clear for all (bad actors) to see: The most common bad security practice detected is the transmission of clear-text passwords over the network, which can provide attackers the keys to the kingdom, enabling them to move laterally and exfiltrate data.
- When it’s commonly used, it’s commonly abused: More than 75 percent of lateral movement events identified were conducted using Remote Desktop Protocol (RDP) often using stolen credentials to log in to other hosts on the network.