Report: Cryptocurrency mining runs rampant in higher education

Vectra today announced that the higher education sector exhibited a startling increase in potentially damaging cryptocurrency mining behaviors as part of the company’s key findings in the new 2018 RSA Conference Edition of its Attacker Behavior Industry Report.

The report reveals cyberattack detections and trends from a sample of 246 opt-in enterprise customers using the Vectra Cognito platform, across 14 different industries. From August 2017 through January 2018, Cognito monitored traffic and collected metadata from more than 4.5 million devices and workloads from customer cloud, data center and enterprise environments. By analyzing this metadata, the Vectra Cognito platform detected hidden attacker behaviors and identified business risks that enabled its customers to avoid catastrophic data breaches.

As sophisticated cyberattackers automate and increase the efficiencies of their own technology, there is an urgent need to augment information security with AI-based detection and response tools to stop threats faster. The Vectra Attacker Behavior Industry Report takes a multidisciplinary approach that spans all strategic phases of the attack lifecycle, presenting data by specific industries that highlight relevant differences between them.

Key findings from the report include:

• Cryptocurrency mining is a mounting problem: Considered opportunistic, mining surged with the rising price of cryptocurrencies like Bitcoin, Monero and Ethereum. Of all the cryptocurrency mining detections, 60 percent occurred in higher education, followed by entertainment and leisure (6 percent), financial services (3 percent), technology (3 percent), and healthcare (2 percent). Cryptocurrency mining involves converting electricity to monetary value through computational resources. Free electrical power and internet access for students might account for the spike in higher education.
• The highest volume of attacker behaviors per industry were in higher education (3,715 detections per 10,000 devices) followed by engineering (2,918 detections per 10,000 devices). This is primarily due to command-and-control (C&C) activity in higher education and internal reconnaissance activity in engineering.
• C&C activity in higher education, with 2,205 detections per 10,000 devices, is four-times above the industry average of 460 detections per 10,000 devices. These early threat indicators usually precede other stages of an attack and are often associated with opportunistic botnet behaviors in higher education.
• Government and technology sectors have the lowest detection rates, with 496 and 349 detections per 10,000 devices, respectively. This could indicate the presence of stronger policies, mature response capabilities and better control of the attack surface.
• When normalizing detections per 10,000 devices compared to the previous year, there is a sharp increase across every industry – C&C (37 percent), internal reconnaissance (31 percent), lateral movement (24 percent), and a nominal increase in data exfiltration detections (6 percent).

“Security operations and analytics platform architecture (SOAPA) is helping to accelerate technology innovation, ease integration and enhance the value of existing security technologies,” said Jon Oltsik, senior principal analyst, Enterprise Strategy Group. “According to recent ESG research, 12 percent of enterprise organizations have already deployed Artificial Intelligence (AI)-based security analytics extensively, and 27 percent have deployed AI-based security analytics on a limited basis. This latest report from Vectra provides important visibility into attacker behaviors within organizations, that have bypassed perimeter security controls and observations of attack progression after an initial compromise.”

The Cognito platform automates the hunt for hidden cyberthreats by continuously analyzing network traffic logs and cloud events to detect attacker behaviors inside the network. In addition to automatically correlating detected threats with host devices that are under attack, Cognito provides unique context about what attackers are doing and prioritizes threats that pose the highest risk. Using AI, Cognito combines data science, machine learning and behavioral analytics to reveal attacker behaviors without signatures or reputation lists.

“Combining security analytics with human understanding gives us compelling new insights into attacker behaviors on a global scale across cloud, data center and enterprise environments,” said Chris Morales, head of security analytics at Vectra. “Ultimately, this insight enables Vectra customers to make better-informed decisions that strengthen security posture and reduce business risk.”

The data in this report is based on anonymized metadata from Vectra customers who have opted to share detection metrics. The Cognito platform identifies behaviors that indicate in-progress attacks by directly monitoring all traffic and relevant logs, including traffic to and from the internet, internal traffic between network devices, and virtualized workloads in private data centers and public clouds. This analysis provides important visibility into advanced phases of attacks.