Network security provider LightCyber recently released Cyber Weapons Report 2016, an industry study that reveals the top tools attackers use to tunnel into a system after network penetration and execute a data breach.

The study analyzed network activity from hundreds of thousands of endpoints monitored by LightCyber’s Magna Behavioral Attack Detection platform. Spanning a six-month time period, the study touched multiple industries such as finance, healthcare, transportation, government and telecommunications.

The most common attack tools observed in the study were classified into four categories: networking and hacking tools, admin tools, remote desktop tools and malware. The study’s most surprising finding was that while malware is on the rise as a means for hackers to gain entry to a network, the study found that 99 percent of post-intrusion cyber-attack activities leveraged standard networking and IT administration tools.

The report stated that an IP address and port scanner called Angry IP Scanner, for instance, was the top networking and hacking tool used by attackers to achieve malicious goals once inside a network, accounting for 27 percent of incidents. Nmap, a network discovery and security auditing tool, was a close second.

With IT administrative tools, the report showed that malicious activity typically triggered lateral movement anomalies like new admin behavior, remote code execution and reverse connection. SecureCRT, an integrated SSH and Telnet client, took the top spot in that category, representing 28.5 percent of incidents from the top ten most used admin tools.

Meanwhile, over in the remote desktop tools category, TeamViewer accounted for 37 percent of incidents from the top ten tools list. The report found that even seemingly-innocuous programs such as web browsers, file transfer clients and native system tools can be twisted to serve the needs of an attacker.

LightCyber says these types of attacks are usually “low and slow,” where bad actors work under the radar for several months inside a system, conducting activities like reconnaissance to map a network’s resources and vulnerabilities, lateral movement and, eventually, command and control communication.

“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Jason Matlof, executive vice president, LightCyber. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities.”