Detailed investigation of the cases taken over by the Sophos Incident Response Team shows that attackers spend less and less time in the infiltrated network before launching their attack. This is the analysis of the Sophos Active Adversary Report for Tech Leaders 2023. They also need less than a day to access the Active Directory. The majority of ransomware attacks take place outside of business hours.
Sophos today releases its Active Adversary Report for Tech Leaders 2023. The report provides a detailed look at attacker behavior and tools in the first half of 2023. Based on analysis of incident response (IR) cases handled by Sophos from January to July In 2023, Sophos In the comparable period in 2022, the length of stay fell from 15 to 10 days.
High risk for a network's crown jewels
Sophos AD typically manages identities and access to resources in an organization. Attackers' access to AD means they can escalate privileges within a system and carry out a variety of malicious activities.
“An attack on a company’s Active Directory makes sense from a cybercriminal perspective. The AD is typically the most powerful and privileged system in the network, providing extensive access to additional systems, applications, resources and data that attackers can exploit in their attacks. If an attacker controls the Active Directory, they can control the entire company. This escalation potential and the high recovery effort of an Active Directory are the reasons why it is so targeted,” says John Shier, Field CTO at Sophos.
Reaching and gaining control of the Active Directory server in the attack chain provides attackers with several advantages. They can linger unnoticed to plan their next move. Once ready, they continue to penetrate the victim's network unhindered. Fully recovering a compromised domain can be a lengthy and arduous process. Such an attack damages the security foundation on which an organization's infrastructure relies. Very often, a successful AD attack means a security team has to start from scratch.
Ransomware: Shorter retention time
The dwell time for ransomware attacks has decreased. In the IR cases analyzed, they were the most common type of attack at 69% and the average length of stay was only five days. In 81% of ransomware attacks, the final malicious code was launched outside of normal working hours. Of the attacks carried out during business hours, only five occurred on a weekday.
The number of attacks detected increased over the course of a week, particularly in the investigation of ransomware attacks. Nearly half (43%) of ransomware attacks were discovered on either Friday or Saturday.
Attacks outside of business hours
“In some ways we are victims of our own success. As security technologies and services such as XDR and MDR become more widespread, attacks can be detected earlier. A shorter detection time leads to a faster response, which in turn leads to a shorter window of opportunity for attackers. At the same time, criminals have optimized their gambits, particularly the experienced and well-resourced ransomware offshoots, which are further accelerating their attacks in the face of improved defenses.
But that doesn't mean we're safer overall. This can be seen in the dwell time leveling off at a high level for non-ransomware. Attackers are still breaking into networks, and if time is not of the essence, they will linger. All the security tools in the world won't save companies if they aren't careful and don't interpret system information correctly. It takes both the right tools and continuous, proactive monitoring to ensure criminals have the upper hand. MDR can bridge the gap between attackers and defenders because even if the company isn’t paying attention, we’re paying attention,” says Shier.
About the Sophos Active Adversary Report for Tech Leaders
The Sophos Active Adversary Report for Business Leaders is built on global Sophos Incident Response (IR) data across 25 industries from January to July 2023. The companies attacked were located in 33 different countries on six continents. Eighty-eight percent of cases came from companies with fewer than 1.000 employees. The Sophos Active Adversary Report for Tech Leaders provides security professionals with threat data and insights to better operationalize their security strategy.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.