LightCyber’s research has shown that around 99% of post-intrusion cyber attack activities didn’t actually employ malware and instead the hackers chose to use conventional networking and administration tools. The attackers likely favour this method in order to stay under the radar for as long as possible and avoid detection once they have achieved the initial breach.
LightCyber discovered this tendency for attackers to use common administrator and desktop tools for reconnaissance and lateral movement within a network, rather than what the malware you may expect them to be using.
Commonly used tools such as TeamViewer and WinVNC are regularly used by hackers to laterally traverse networks once they’ve gained initial access through spear-phishing or other hacking techniques. Attackers have also taken advantage of ordinary end-user programs such as browsers, FTP clients and native system tools for data exfiltration and command and control activities.
LightCyber’s study involved monitoring organisations ranging in size from 1,000 to 50,000 endpoints in a variety of industries over a period of 6 months.
Reconnaissance was the most commonly identified attacker activity during this study, followed by lateral movement and rounded off by command and control communication.
Another interesting point of note from the study was that more than 70% of the active malware used for the initial intrusion was detected only on a single site. This points towards the malware being polymorphic or of a customised/targeted type, designed specifically for that attack.