In its Active Adversary Report, Sophos describes how and with what cybercriminals carried out the most attacks in 2022. The shocking result: they used more than 500 different tools and tactics. This is how ransomware stays on the rise.
Sophos has released its Active Adversary Playbook for Business Leaders. The report provides an in-depth look at the changing behaviors and attack techniques attackers will employ in 2022. Data from more than 150 Sophos Incident Response cases was analyzed for this report. Sophos researchers identified more than 500 unique tools and techniques, including 118 living off the land binaries (LOLBins). Unlike malware, LOLBins are executable files that can be found legally on operating systems. This makes it much harder for defenders to block them when attackers are using them for malicious activity.
Unpatched vulnerabilities – Gateway #1
🔎 Attackers most often penetrate systems via unpatched vulnerabilities (Image: Sophos).
In addition, Sophos has found that unpatched vulnerabilities are the number one reason attackers gain initial access to targeted systems. In half of the investigations, attackers exploited ProxyShell and Log4Shell vulnerabilities (first appeared in 2021) to infiltrate companies. The second most common reason for attacks was compromised credentials.
"If attackers can't break in, they log in. The threat situation has now become so extensive and complex that there are no longer any clearly definable entry points. Most companies today no longer have a chance of repelling the attacks on their own. However, there are tools and services that can offload some of the defense burden for organizations so they can focus on their core competencies,” said John Shier, Field CTO Commercial at Sophos.
Ransomware continues to dominate
🔎 Ransomware remains the #1 threat (Image: Sophos).
More than two-thirds of the attacks investigated by the Sophos Incident Response Team (68%) consisted of ransomware. This confirms that ransomware remains one of the most prevalent threats facing businesses. Ransomware was also responsible for nearly three quarters of Sophos' incident response investigations over the past three years.
Dwell time of attackers in corporate systems decreases
While ransomware still dominates the threat landscape, attacker dwell times dropped from 2022 to 15 days for all attack types in 10. For ransomware cases, the dwell time decreased from 11 to 9 days, while the decrease for non-ransomware attacks was even greater. For the latter, the length of stay fell from 34 days in 2021 to just 11 days in 2022. Unlike in previous years, however, there are no significant differences in the length of stay between companies of different sizes or industries.
"Companies that have successfully implemented layered defenses with constant monitoring see better results in terms of attack severity," Shier said. “The side effect of improved defenses means that attackers have to get faster to perform their attacks. Faster attacks therefore require earlier detection. The race between attackers and defenders will continue to escalate, and those who fail to conduct proactive surveillance will suffer the greatest consequences.”
Background to the report
🔎 The dwell time of an intruder on the network has decreased slightly in 2022 (Image: Sophos).
The Sophos Active Adversary Report for Business Leaders is based on 152 Incident Response (IR) investigations conducted worldwide, spanning 22 industries. The companies studied are located in 31 different countries including USA & Canada, UK, Germany, Switzerland, Italy, Austria, Finland, Belgium, Sweden, Romania, Spain, Australia, New Zealand, Singapore, Japan, Hong Kong, India, Thailand , the Philippines, Qatar, Bahrain, Saudi Arabia, the United Arab Emirates, Kenya, Somalia, Nigeria, South Africa, Mexico, Brazil and Colombia. The most represented sectors are manufacturing with 20 percent, followed by healthcare (12 percent)), education (9 percent) and retail (8 percent).
The Sophos Active Adversary Report for Business Leaders provides organizations with the actionable threat data and insights they need to optimize their security strategies and defenses.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.