Sophos, a prominent global cybersecurity service provider, has unveiled its Active Adversary Report for Tech Leaders 2023, a comprehensive analysis of attacker tactics and tools during the initial six months of 2023. Drawing insights from Sophos Incident Response (IR) cases from January to July 2023, the report discloses that the median attacker dwell time, signifying the interval between attack initiation and detection, has decreased from 10 to 8 days for all attacks, and further reduced to 5 days for ransomware incidents. This follows a drop from 15 to 10 days in 2022.
Moreover, the study found that attackers typically required less than a day, around 16 hours on average, to infiltrate Active Directory (AD), a pivotal asset within organizations. AD is central to managing identity and access across an enterprise, granting attackers the ability to elevate their privileges and execute various malicious actions.
John Shier, Sophos’ field CTO, highlighted the significance of targeting AD in attacks, explaining that it offers attackers extensive access to an organization’s systems, resources, applications, and data, enabling them to assume control over the entity. He emphasized that the impact and complexities of recovering from an Active Directory attack contribute to its attractiveness among malicious actors.
The report revealed that ransomware attacks demonstrated a shorter dwell time as well. These attacks were predominant in the analyzed IR cases, constituting 69% of the cases studied. The median dwell time for ransomware incidents was just five days. Additionally, 81% of ransomware attacks unleashed their final payload outside regular working hours, with only a small proportion occurring on weekdays.
The report also highlighted the timing of attack detections, particularly concerning ransomware incidents. Around 43% of ransomware attacks were detected on Fridays or Saturdays, demonstrating a temporal pattern.
Shier emphasized that advancements in cybersecurity technology have contributed to faster detection times and responses. While this accelerates the defensive process, attackers, particularly experienced ransomware groups, have also refined their strategies to evade defenses. He emphasized the importance of both advanced tools and continuous monitoring in maintaining effective cybersecurity.
The Sophos Active Adversary Report, based on IR investigations covering 25 sectors in 33 countries across six continents, is a valuable resource for business and tech leaders seeking actionable insights to bolster their security strategies. More information about the report’s findings can be found on Sophos’ website in the article titled “Time Keeps on Slippin’ Slippin’ Slippin’: The 2023 Active Adversary Report for Tech Leaders”.