Sophos, a prominent cybersecurity service provider, has unveiled its Active Adversary Report for Security Practitioners, revealing that in nearly 42% of the analyzed attack cases, telemetry logs were absent. Shockingly, in 82% of these instances, cybercriminals deliberately incapacitated or erased telemetry to conceal their activities. The report encompasses Incident Response (IR) cases scrutinized by Sophos spanning from January 2022 to the first half of 2023.
The absence of telemetry poses a significant challenge by reducing visibility into organizations’ networks and systems. This is particularly critical as the dwell time of attackers, the duration from initial access to detection, continues to shrink, leaving defenders with limited time to respond effectively.
John Shier,
Sophos’ Field CTO.
“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible.”
Shier underscored the importance of complete and accurate logging, expressing concern that many organizations lack the necessary data.
The report categorizes ransomware attacks with a dwell time of five days or less as “fast attacks,” constituting 38% of the studied cases. Meanwhile, “slow” ransomware attacks, with a dwell time exceeding five days, accounted for 62% of the cases.
Examining these “fast” and “slow” ransomware attacks revealed minimal variation in the tools, techniques, and living-off-the-land binaries (LOLBins) employed by attackers. Shier highlighted that defenders need not overhaul their defensive strategies as attackers expedite their timelines. However, he cautioned that fast attacks and the absence of telemetry could impede rapid response times, leading to more substantial damage.
Shier conveyed optimism, stating, “Cybercriminals only innovate when they must, and only to the extent that it gets them to their target.” He emphasized the importance of increasing friction to make the attackers’ job more challenging, adding valuable time to response efforts.
The report, based on 232 Sophos Incident Response cases across 25 sectors from January 1, 2022, to June 30, 2023, provides actionable intelligence for security practitioners. Targeted organizations spanned 34 countries across six continents, with 83% of cases originating from organizations with fewer than 1,000 employees.
Security practitioners are encouraged to explore the Sophos Active Adversary Report for insights into attacker behaviors, tools, and techniques on Sophos.com.
