It’s become repetitive, but infosec experts continue insist CISOs assume their networks have been compromised and plan their strategies accordingly.

A recent report provides evidence to buttress that assumption: Vectra Networks, which makes advanced persistent threat detection appliances, says metadata from 40 customer network it analyzed showed one or more indicators of a targeted (as opposed to opportunistic) attack in every company that bypassed any defence the organization threw up. Not only that, three per cent of the companies showed evidence of data theft. The report doesn’t say if these firm knew they’d been plundered.

It discovered 46,610 threats across over 248,198 hosts in those 40 firms. According to an interview the vendor gave to CSO Online, the customers and prospects that supplied the data ranged in size from less than 1,000 users up to large companies with 50,000.

While a three per cent data theft rate may not be good news to most CISOs, the report says this is proof theft is “rarely observed,” suggesting “organizations have been able to detect and remediate threats before a loss occurs.”

But it does have conclusions about the metadata and where the threats were on networks compared to a similar study done last fall: There was a 580 per cent increase in lateral movement techniques along with a 270 per cent increase in internal reconnaissance. “A spike in these behaviors may indicate that attackers are increasingly successful at penetrating perimeter defenses,” the report says.

Vectra identifies five stages of an attack after successful penetration (although not all attacks have every phase):  Establishment of command-and-control communications; installing a botnet to attack every host on the network, including leveraging spam and DDoS attacks; internal reconnaissance; lateral movement to steal credentials; and data exfiltration.

Of the metadata Vectra looked at over 34 per cent of detections showed evidence there had already been lateral movements that had spread malware; 32 per cent had evidence that command and control malware had been installed; botnet-related behaviors accounted for 18 per cent of all detections; and 13 per cent showed evidence of  internal reconnaissance.

Assuming this data can be extrapolated for all mid and large-sized Canadian companies, there is already a successful attack on your network. Thirty-four per cent of you already have malware that is hunting for credentials and three per cent of you have already lost data.