Positive Technologies experts have analyzed the results of network activity monitoring at 41 companies where PT Network Attack Discovery (PT NAD) was deployed as pilot project 1. The experts detected suspicious network activity at most companies. Malware was identified at each industrial company and government institution.
Pilot projects revealed suspicious network activity at 90 percent of companies, including traffic hiding, running network scanning tools, and remote process execution attempts. Experts note that NDR systems allow not only the detecting of suspicious activity in time, but also checking of the history of a host's network activity to verify if there were other similar attempts.
Positive Technologies analyst Olga Zinenko said: "The transition of companies to remote work affected, among other things, network activity, as there are now more hosts accessible for RDP connection. Such connections must be strictly controlled, because the number of attacks via remote access protocols tripled in 2020."
Non-compliance with information security policies was revealed at all tested companies. One of the most frequently detected violations of information security policies was the use of insecure data transfer protocols (64%). According to the experts, this means that sensitive data is transmitted in cleartext, which allows anyone on the corporate network, including a potential attacker, to intercept traffic and search it for sensitive information, such as usernames and passwords.
In 2020, pilot projects involving network activity monitoring and detecting complicated threats identified 36 malware families. Among them are the WannaCry ransomware and banking trojans, such as RTM, Ursnif, and Dridex. Malware was detected at 68 percent of analyzed companies, whereas government institutions and industrial companies were infected in 100 percent of cases. At one out of three companies, experts detected attempts to exploit software vulnerabilities.
Positive Technologies product marketing manager Nataliya Kazankova said: "Indicators of compromise are sometimes unknown at the time of attack. That is why it is vital to not only analyze traffic in real time, but also conduct a retrospective analysis taking into account new information. Saving and rescanning traffic copies using an NDR system allows conducting a thorough investigation and detecting attacker actions even for those incidents that happened before."
How is your company being attacked?
Check your network and perimeter. Request a free PT NAD pilot.
- The dataset consists only of pilot projects for which clients consented to analysis of network activity monitoring results and publication of depersonalized data.
- Stands for network detection and response. Network detection and response systems are used to detect attacks inside the infrastructure and on the perimeter. They can also be called network traffic analysis (NTA) systems.