SYDNEY, AUS. – Nov. 15, 2023 – Sophos, a global leader in innovating and delivering cybersecurity as a service, today released its Active Adversary Report for Security Practitioners, which found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks. The report covers Incident Response (IR) cases that Sophos analysed from January 2022 through the first half of 2023.

Gaps in telemetry decrease much-needed visibility into organisations’ networks and systems, especially since attacker dwell time (the time from initial access to detection) continues to decline, shortening the time defenders have to effectively respond to an incident.

“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain an attacker makes it, the bigger the headache for responders. Missing telemetry only adds time to remediations that most organisations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organisations don’t have the data they need,” said John Shier, field CTO, Sophos.

In the report, Sophos classifies ransomware attacks with a dwell time of less than or equal to five days as “fast attacks,” which accounted for 38% of the cases studied. “Slow” ransomware attacks are those with a dwell time greater than five days, which accounted for 62% of the cases.

When examining these “fast” and “slow” ransomware attacks at a granular level, there was not much variation in the tools, techniques, and living-off-the-land binaries (LOLBins) that attackers deployed, suggesting defenders don’t need to reinvent their defensive strategies as dwell time shrinks. However, defenders do need to be aware that fast attacks and the lack of telemetry can hinder fast response times, leading to more destruction.

“Cybercriminals only innovate when they must, and only to the extent that it gets them to their target. Attackers aren’t going to change what’s working, even if they’re moving faster from access to detection. This is good news for organisations because they don’t have to radically change their defensive strategy as attackers speed up their timelines. The same defences that detect fast attacks will apply to all attacks, regardless of speed. This includes complete telemetry, robust protections across everything, and ubiquitous monitoring,” said Shier. “The key is increasing friction whenever possible—if you make the attackers’ job harder, then you can add valuable time to respond, stretching out each stage of an attack.

“For example, in the case of a ransomware attack, if you have more friction, then you can delay the time until exfiltration; exfiltration often occurs just before detection and is often the costliest part of the attack. We saw this happen in two incidents of Cuba ransomware. One company (Company A) had continuous monitoring in place with MDR, so we were able to spot the malicious activity and halt the attack within hours to prevent any data from being stolen. Another company (Company B) didn’t have this friction; they didn’t spot the attack until a few weeks after initial access and after Cuba had already successfully exfiltrated 75 gigabytes of sensitive data. They then called in our IR team, and a month later, they were still trying to get back to business as usual.”

The Sophos Active Adversary Report for Security Practitioners is based on 232 Sophos Incident response (IR) cases across 25 sectors from Jan. 1, 2022, to June 30, 2023. Targeted organisations were located in 34 different countries across six continents. Eighty-three percent of cases came from organisations with fewer than 1,000 employees.

The Sophos Active Adversary Report for Security Practitioners provides actionable intelligence on how security practitioners should best shape their defensive strategy.

To learn more about attacker behaviours, tools and techniques, read the Active Adversary Report for Security Practitioners on Sophos.com.

— END

Learn More About:

• Dwindling dwell times and changing attacker behavior and techniques in the Active Adversary Report for Tech Leaders 2023
• Changing attacker behaviors, techniques and tactics in the 2023 Active Adversary Report for Business Leaders, based on an analysis of more than 150 Sophos incident response cases
• How IT and cybersecurity leaders view “The State of Cybersecurity 2023: The Business Impact of Adversaries on Defenders”
• Sophos X-Ops and its groundbreaking threat research by subscribing to the Sophos X-Ops blogs
• The State of Ransomware 2022  (issued May 2022)
• Different ransomware threat actors, their TTPs, and Sophos’ latest ransomware research in the Ransomware Threat Intelligence Center

About Sophos

Sophos is a worldwide leader and innovator of advanced cybersecurity solutions, including Managed Detection and Response (MDR) and incident response services and a broad portfolio of endpoint, network, email, and cloud security technologies that help organisations defeat cyberattacks. As one of the largest pure-play cybersecurity providers, Sophos defends more than 500,000 organisations and more than 100 million users globally from active adversaries, ransomware, phishing, malware, and more. Sophos’ services and products connect through its cloud-based Sophos Central management console and are powered by Sophos X-Ops, the company’s cross-domain threat intelligence unit. Sophos X-Ops intelligence optimises the entire Sophos Adaptive Cybersecurity Ecosystem, which includes a centralised data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity and information technology vendors. Sophos provides cybersecurity-as-a-service to organisations needing fully managed, turnkey security solutions. Customers can also manage their cybersecurity directly with Sophos’ security operations platform or use a hybrid approach by supplementing their in-house teams with Sophos’ services, including threat hunting and remediation. Sophos sells through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.