Sophos is highly effective at protecting IT systems. So, adversaries just look for new ways to break in. That was the broad finding of “The Bite from Inside: The Sophos Active Adversary Report,” which looks at the changing attack techniques spotted in the first half of 2024.
Cyber attackers want to gain the defenders' trust to access their IT systems. They exploit trusted applications and tools native to the Windows OS to gain that access. “[These] tools are integral to Windows and have legitimate use, " said John Shier, field CTO of Sophos. “Without nuanced and contextual awareness of the environment… today's stretched IT teams risk missing key threat activity that often leads to ransomware.”
LOL Is Not What You Think It Means
Using Microsoft tools to gain entry is known as using “living off the land binaries” (LOLbins). This technique relies on exploiting remote desktop protocols (RDP) to gain entry. Attackers used RDP in 89 percent of the 200 incident responses detected by Sophos in the first half of 2024.
“[I]t’s crucial to understand who’s on your network and what they should be doing.” The Sophos report read. “If Alice and Bob from IT are doing things with PowerShell, [that’s] probably okay. If Mallory from PR is doing things with PowerShell, ask questions.”
Other Threats Remain
Sophos noted that compromised credentials are still the number one root cause of attacks, but only in 39 percent of cases, down from the 56 percent noted in 2023. Network breaches are still the most common incident encountered, according to Sophos Managed Detection and Response (MDR) teams.
According to Sophos incident response (IR) teams, dwell time (the time from when an attack starts to when it’s detected) has remained at approximately eight days. However, with MDR, the median dwell time is just one day for all types of incidents and only three days for ransomware attacks.
Finally, those older versions of Active Directories (AD) nearing end-of-life (EOL) are easier targets for threat actors and are now out of mainstream Microsoft support. If your customers are running older versions of AD, consider upgrading them.
Keeping Up with the Threat Actors
Sophos provides channel partners with up-to-date information on attack behaviors so they can better protect their clients. To stay informed about the latest IT dangers, download "The Bite from Inside: The Sophos Active Adversary Report."