The detailed analysis of actual attacks on companies uncovers a new scam used by cybercriminals to cover up their length of stay and thus thwart a rapid defensive response. The new Sophos Active Adversary Report reveals the tricks used by cybercriminals.
Sophos has released its new Active Adversary Report. Particularly striking: in 42 percent of the attacks analyzed, the telemetric protocols were missing and in 82 percent of these cases, the criminals actively deactivated or deleted telemetry data to hide their attacks. In addition, the length of stay in the hijacked system continues to decrease, continuing the trend from the last report.
Active Adversary Report
“Active Adversary” is a technical term that describes the type of attack strategy on a system. In contrast to purely technical and automated attacks, the human factor comes into play in this type of attack: cybercriminals actively sit at the keyboard and react individually to the circumstances in an infiltrated system. These stealth journeys are further supported by gaps in telemetry, as they reduce the necessary visibility in the networks and systems. A big problem, especially since the time spent by attackers - from initial access to detection - is continuously decreasing and therefore the time for the defensive reaction is also shorter.
“Time is the critical factor in responding to an active threat. The phase between the discovery of initial access and the complete defusing of the situation should be as short as possible. The further the criminals get in the attack chain, the more problems we see in the defense center. Missing telemetry data increases recovery time, something most organizations cannot afford. That’s why complete and precise logging is very important. “But we see that far too often organizations don’t have the data they actually need,” says John Shier, Field CTO at Sophos, about the telemetry problem.
In the system for less than five days – fast ransomware attacks are at 38 percent
In the Active Adversary Report, Sophos classifies ransomware attacks that last up to five days as “fast attacks.” There were 38 percent of these in the cases examined. “Slow attacks” are those that sometimes last much longer than five days. There were 62 percent of them. Even if the “quick” attacks are still less common, their proportion in the overall picture is constantly increasing - and for reasons: Attackers are reacting to the better detection methods in companies, which leave them less time and cybercriminals are now also easy very practiced. “As with any process, repetition and practice tend to produce better results,” says John Shier. “Modern ransomware turns ten years old this year, a long time with many examples to turn more and more criminals into experts. An all the more dangerous development when many defense strategies could not keep up.”
When examining the fast and slow types, there was little variation in the tools, techniques and LOLBins (living-off-the-land binaries) that the attackers use. This suggests that the defenders of the attacked system do not need to reinvent their defense strategies as the dwell time decreases. However, companies must be aware that rapid attacks and a lack of telemetry can hamper rapid response times and subsequently lead to a significantly larger disruption to business operations.
New defensive measures not absolutely necessary
“Cybercriminals are lazy, they only make changes if it means they can better achieve their goal. Attackers do not change what is going on, even if this means they are discovered more quickly after infiltration. This is good news for organizations because they don't have to radically change their defensive strategy just because the attackers are turning on the turbo. Defensive measures that detect quick attacks are effective for all attacks, regardless of time. This also includes complete telemetry, robust protection for all areas and omnipresent monitoring,” points out Shier. “The key is to increase resistance. If you make it harder for the attackers and prolong each phase of the attack, you have more time to react.
The Sophos Active Adversary Report is based on 232 incident response cases from January 1, 2022 to June 30, 2023 across 25 industries. Affected organizations were located in 34 different countries on six continents. 83 percent of cases affected companies with fewer than 1.000 employees. The report provides actionable information on how security professionals can optimally design their defensive strategies.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.