Sophos: Attacker Dwell Time Increased by 36%
Sophos has released the ‘Active Adversary Playbook 2022,’ detailing attacker behaviours that Sophos’ Rapid Response team saw in the wild in 2021. The findings show a 36% increase in dwell time, with a median intruder dwell time of 15 days in 2021 versus 11 days in 2020. The report also reveals the impact of ProxyShell vulnerabilities in Microsoft Exchange, which Sophos believes some Initial Access Brokers (IABs) leveraged to breach networks and then sell that access to other attackers.
“The world of cybercrime has become incredibly diverse and specialised. IABs have developed a cottage cybercrime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turn-key access to ransomware gangs for their own attacks,” said John Shier, Senior Security Advisor at Sophos. “In this increasingly dynamic, specialty-based cyberthreat landscape, it can be hard for organisations to keep up with the ever-changing tools and approaches attackers use. It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralise attacks as fast as possible.”
Sophos’ research also shows that intruder dwell time was longer in smaller organisations’ environments. Attackers lingered for approximately 51 days in organisations with up to 250 employees, while they typically spent 20 days in organisations with 3,000 to 5,000 employees.
“Attackers consider larger organisations to be more valuable, so they are more motivated to get in, get what they want and get out. Smaller organisations have less perceived ‘value,’ so attackers can afford to lurk around the network in the background for a longer period. It’s also possible these attackers were less experienced and needed more time to figure out what to do once they were inside the network. Lastly, smaller organisations typically have less visibility along the attack chain to detect and eject attackers, prolonging their presence,” said Shier. “With opportunities from unpatched ProxyLogon and ProxyShell vulnerabilities and the uprise of IABs, we’re seeing more evidence of multiple attackers in a single target. If it’s crowded within a network, attackers will want to move fast to beat out their competition.”
Additional key findings in the playbook include:
- The median attacker dwell time before detection was longer for “stealth” intrusions that had not unfolded into a major attack such as ransomware, and for smaller organisations and industry sectors with fewer IT security resources. The median dwell time for organisations hit by ransomware was 11 days. For those that had been breached, but not yet affected by a major attack, such as ransomware (23% of all the incidents investigated), the median dwell time was 34 days. Organizations in the education sector or with fewer than 500 employees also had longer dwell times
- Longer dwell times and open entry points leave organisations vulnerable to multiple attackers. Forensic evidence uncovered instances where multiple adversaries, including IABs, ransomware gangs, cryptominers, and occasionally even multiple ransomware operators, were targeting the same organization simultaneously
- Despite a drop in using Remote Desktop Protocol (RDP) for external access, attackers increased their use of the tool for internal lateral movement. In 2020, attackers used RDP for external activity in 32% of the cases analysed, but this decreased to 13% in 2021. While this shift is a welcome change and suggests organizations have improved their management of external attack surfaces, attackers are still abusing RDP for internal lateral movement. Sophos found that attackers used RDP for internal lateral movement in 82% of cases in 2021, up from 69% in 2020