Sophos, a global leader in cybersecurity innovation and services, has today unveiled its much-anticipated Active Adversary Report for Tech Leaders 2023. This comprehensive report delves into attacker behaviors and tools observed during the first half of 2023. Leveraging insights from Sophos Incident Response (IR) cases between January and July 2023, Sophos X-Ops has unveiled critical findings that shed light on the evolving threat landscape.
Shrinking Attacker Dwell Time: A Growing Trend
An eye-catching revelation from the report is the reduction in median attacker dwell time. Attacker dwell time refers to the average duration during which an unauthorized user maintains access to a system or environment. It represents the window of time in which a malicious actor can exploit a compromised system before detection occurs. The longer the dwell time, the greater the potential for an attacker to inflict harm or pilfer sensitive information.
This dwell time has shortened from 10 to 8 days for all attacks, and even further to a mere 5 days for ransomware attacks. This remarkable reduction follows a trend that emerged in 2022 when median dwell time dropped from 15 to 10 days.
Swift Penetration of Critical Assets
Intriguingly, the report underscores that attackers are managing to penetrate one of the most crucial assets in a company’s ecosystem – the Active Directory (AD). With an alarming average timeframe of less than 24 hours, attackers are gaining access to AD. This achievement grants them significant privileges within the network, enabling them to execute various malicious activities undetected.
As John Shier, field CTO at Sophos, elucidates, “Attacking an organization’s Active Directory infrastructure makes sense from an offensive view… When an attacker controls AD, they can control the organization.”
Ransomware: A Dominant Threat
Ransomware attacks took the lead as the most prevalent type of attack in the analyzed IR cases, accounting for a substantial 69% of investigations. Notably, the median dwell time for ransomware attacks was found to be just 5 days. The report highlights that in 81% of ransomware attacks, the final payload was unleashed outside of regular working hours, emphasizing the stealthy nature of these assaults.
Also Read: Sophos uncovers new connections between Hive, Royal, and Black Basta ransomware
Further dissecting the data, the report reveals intriguing patterns in attack detection. Ransomware attacks displayed a unique trend, with nearly half (43%) being detected on either Fridays or Saturdays. This aligns with the evolving tactics adopted by attackers to exploit periods when defenses may be slightly relaxed.
Proactive Monitoring and MDR: The Bridge to Enhanced Security
Sophos acknowledges that while the adoption of advanced technologies enhances early attack detection, it does not necessarily translate to heightened overall security. Attackers are adjusting their strategies, and as Shier points out, “all the tools in the world won’t save you if you’re not watching.” He highlights the crucial role of continuous, proactive monitoring and Managed Detection and Response (MDR) services in bridging the gap between attackers and defenders.
The Sophos Active Adversary Report for Tech Leaders is rooted in extensive investigations that span the globe and various sectors. Covering incidents from January to July 2023, the report’s insights are derived from organizations across 33 different countries, representing a diverse range of industries and sizes.
Strengthening Security Strategies with Actionable Insights
The Active Adversary Report for Tech Leaders equips security professionals with actionable threat intelligence and insights, enabling them to fortify their security strategies in the face of evolving threats. To explore a detailed analysis of attacker behaviors, tools, and techniques, refer to the “Time Keeps on Slippin’ Slippin’ Slippin’: The 2023 Active Adversary Report for Tech Leaders” available on Sophos’s official website. Stay informed and equipped to protect your organization in an ever-changing cybersecurity landscape.
