Active adversaries are creating new ways to evade detection and maintain a persistent presence on enterprise networks faster than we can detect them. They are as persistent as a squirrel attacking a bird feeder. If one attack doesn’t work, they try again in a different way from a different direction.
Stopping Active Adversaries: Lessons From the Cyber Frontline is the latest whitepaper from Sophos that provides a unique window into the tactics, techniques, and procedures employed by today’s skilled, professional cybercriminals.. There are steps organizations can take today to better defend against active adversaries.
How Adversaries Are Breaking In
Active adversaries prefer to exploit compromised credentials obtained through phishing attacks or previous data breaches to get into the network. They time their attacks at off-hours and on weekends when target companies are short-staffed or off-duty.
Active adversaries work fast. Dwell time—how long they have before being detected—now clocks in at eight days, down from twelve days two years ago. Ransomware is a “smash and grab” job, with only half of those attacks taking five days or less.
Once inside, the adversaries go straight for the Active Directory (AD) server, typically the system's most powerful and privileged server, controlling identities and policies across the network. They use the AD server to turn off protection and distribute their malware from a trusted source.
Adversaries will also use legitimate IT tools in a “living off the land” attack. Remote Desktop Protocol and Powershell are the two most abused IT tools for advancing their attacks. Any suspicious activity using IT tools should be immediately flagged and investigated.
How to Keep Adversaries Out
Based on the insights from 232 incidents remediated by Sophos incident responders, they recommend a comprehensive IT defense system to help enhance your customers’ resilience against active adversaries.
· Use friction – Robust, layered defenses increase the time it takes for an attacker to get in, eventually forcing a frustrated adversary to give up and look for weaker targets elsewhere.
· Protect everything – Attackers will break through the weakest link in the system, so be comprehensive in defense. A strong defense provides the telemetry needed to detect and respond to breaches.
· 24/7 vigilance – Active adversaries prefer to strike while IT staff are off-duty. Don’t let your guard down. Maintain the watch.
· Investigate and respond promptly – A response plan can be the difference between stopping a commonplace attack and restoring data from backups. Defense is easier than the rebuild.
Once you know how active adversaries attack, you can craft a defense strategy to deflect and defeat them. Sophos has a range of best-in-class solutions designed to detect, investigate, and neutralize active adversaries in their tracks. Sophos Managed Detection and Response (MDR) provides adaptive 24/7 endpoint protection and incident response support to defend against even the most advanced human-led attacks.