A new report reveals that there is a major security gap that is obvious, important and urgent: the ability to know if privileged accounts and services are compromised. It is continuing proof that traditional access-based approaches that rely on one-time security gating decisions or predefined lists of privileged identities continue to fail.

The Vectra 2020 RSA Conference Edition of the Attacker Behavior Industry Report and Spotlight Report on Privilege Access Analytics Report provides an analysis of active and persistent attacker behaviors from more than five million workloads and devices from customer cloud, data center and enterprise environments.

Key findings from the report:

  • Potentially malicious privilege access from an unknown host was the most common privileged access anomaly behavior observed, accounting for 74 percent of all privilege access anomaly behavior detections. These are similar to the behaviors found in the Capital One breach.
  • Across all industries, in the six-month period from July to December 2019, there was an average of 215 attacker behavior detections per 10,000 hosts with a peak of 252 in July 2019. This is lower than the 282 attacker behaviors per 10,000 hosts experienced in the first half of 2019.
  • It is rare to see large volumes of TOR traffic in any organization as it serves few if any legitimate business purposes, says the report. Across all industries TOR averaged 3 detections per 10,000 hosts. In December 2019, it averaged 19 detections per 10,000 hosts driven by a spike in December in technology companies in the Asia-Pacific region.
  • Government agencies detected the lowest rate of reconnaissance behaviors, at 93 per 10,000 hosts, while finance and insurance organizations detected the highest at 32 per 10,000 hosts.
  • File server (SMB) brute force behaviors attempting to crack user passwords were observed a year-high 22 times per 10,000 hosts in July. Over the rest of the year (August-December), SMB brute force was observed 14 times per 10,000 hosts.
  • Finance and insurance, healthcare and education organizations exhibited the most privilege access anomaly behaviors. These three industries together account for almost half (47 percent) of all privilege access anomaly behavior detections.
  • Technology (138 detections per 10,000) and education organizations (102 detections per 10,000) remain the most common sectors to exhibit command & control behaviors, nearly 3 times more than the average across other industries.
  • Small companies (0 to 5,000 employees) are more at risk of lateral movement attacks. Small companies observed 112 lateral movement behaviors per 10,000 hosts, nearly twice that of medium and larger sized companies.

"Finance and insurance have become technology companies with a large volume of servers and remote devices. They deal with large volumes of data daily. As they have a global footprint, many require remote access to function," says Chris Morales, Head of Security Analytics at Vectra. He adds that it is surprising that finance and insurance industries exhibited the most privilege access anomaly behaviors. "It is surprising as in finance and insurance are considered forward leaning and proactive in cyber security. They are generally more mature in their practices than seen in other industries. But even in those organizations, privilege is managed and not observed. It is easy to miss overly abundant access rights and it is difficult to track and monitor how that access is used."

The report highlights the importance of privileged access as a key part of lateral movement in cyberattacks. It says that adversaries leverage privileged accounts to gain unauthorized access to the most critical assets that an organization relies on.

In addition, Morales says that privileged access is a top the priority among security practitioners. "Privileged access is a key part of lateral movement in cyber-attacks because it leads to the most valuable capabilities and information because privileged accounts have the widest range of access to critical information," he says. "Adversaries and security practitioners are both aware of the exposure and risk of privileged access. A recent report from Gartner reveals privileged access as the top priority among security practitioners. Additionally, Forrester estimates that 80 percent of security breaches involve privileged accounts. Yet nearly every breach involves some form of privilege access abuse." 

However, organizations and security operations teams can benefit from automating the process of detection, triage, correlation and prioritization of security incidents help security operations teams, notes Morales. "The detection/triage process is perhaps the most tedious aspect of security operations that consumes a large portion of analyst time. If an analyst is stuck in this lower level of operations, they never get to focus on the more valuable aspect of threat hunting and proactive assessment of current conditions. This is especially true on smaller teams that can’t keep up with the volume of events they receive every day," he says.