Enroll Course

100% Online Study
Web & Video Lectures
Earn Diploma Certificate
Access to Job Openings
Access to CV Builder

Popular Courses

Why You Should Become I.T Certified

CCTV Course And Certification

Computer Engineering Course And Certification

Oracle 11G - Database Admin Course And Certification

AutoCAD Course And Certification

Outlines

Adversaries Spend More Than 250 Hours Undetected In Target Networks On Average, According To Sophos

Among The Playbook's Main Results Are The Following

The Threat Landscape

Courses And Certification

ENROLL NOW

Adversaries spend more than 250 hours undetected in target networks on average

Adversaries spend more than 250 hours undetected in target networks on average.

Adversaries spend more than 250 hours undetected in target networks on average, according to Sophos

Sophos, a global leader in next-generation cybersecurity, today published the "Active Adversary Playbook 2021," which details attacker behavior and the tools, tactics, and procedures (TTPs) observed in the wild by Sophos' frontline threat hunters and incident responders in 2020. TTP detection data is also available for early 2021.

According to the results, the median dwell period of an intruder prior to detection was 11 days – or 264 hours – with the longest undetected intrusion lasting 15 months. Ransomware was used in 81% of cases, and 69% of attacks made use of the remote desktop protocol (RDP) for lateral network movement.

The playbook is focused on Sophos telemetry, 81 incident investigations, and insight from the threat hunters and analysts on the Sophos Managed Threat Response (MTR) team and the incident responders on the Sophos Rapid Response team. The objective is to assist security teams in comprehending what adversaries do during attacks and in identifying and defending against malicious behavior on their network.

Among the playbook's main results are the following

The median dwell time of an attacker before detection was 11 days – To put this in perspective, 11 days gives attackers 264 hours to conduct malicious activity such as lateral movement, surveillance, password dumping, and data exfiltration.

Given that some of these operations can be carried out in a matter of minutes or a few hours – and are mostly carried out at night or beyond normal business hours – 11 days provides attackers with enough time to inflict harm to an organization's network. Additionally, ransomware attacks typically have a shorter dwell time than “stealth” attacks, since they are entirely focused on destruction.

90% of attacks observed incorporated the Remote Desktop Protocol (RDP) – and in 69% of all instances, attackers used RDP for internal lateral movement – RDP security measures, such as VPNs and multi-factor authentication, are typically focused on preventing unauthorized access. These, however, are ineffective if the attacker has already gained access to the network.

Internal lateral movement through RDP is becoming more prevalent in aggressive, hands-on-keyboard attacks, such as those involving ransomware.

The Threat Landscape

There are some intriguing similarities between the top five methods discovered in victim networks. For example, when PowerShell is used in an attack, Cobalt Strike is used in 58% of cases, PsExec is used in 49%, Mimikatz is used in 33%, and GMER is used in 19%. Cobalt Strike and PsExec are used in conjunction in 27% of attacks, while Mimikatz and PsExec are used in conjunction in 31% of attacks.

Finally, Cobalt Strike, PowerShell, and PsExec are used in 12% of all attacks. These correlations are critical because they may function as an early warning system for imminent attacks or confirm the existence of an active attack.

Ransomware was involved in 81% of the attacks analyzed by Sophos. The release of ransomware is often the trigger point for an IT security team to become aware of an attack. As a result, it's unsurprising that the vast majority of events reported to Sophos included ransomware. Additionally, Sophos studied exfiltration-only attacks, cryptominers, banking trojans, wipers, droppers, and pen test/attack tools.

According to John Shier, senior security advisor at Sophos:

“The threat landscape is becoming increasingly crowded and complex, with attacks carried out by adversaries with a diverse set of skills and tools, ranging from script kiddies to nation-state-sponsored threat groups. This will make life more difficult for defenders,”

“Over the past year, our incident responders have assisted in neutralizing attacks launched by over 37 attack parties, collectively using over 400 different resources. Many of these methods are often used on a daily basis by IT managers and security experts, and distinguishing between benign and malicious behavior is not always straightforward.

“With adversaries spending an average of 11 days in the network, carrying out their attack while mixing in with routine IT activity, it is important for defenders to understand the warning signs to track and investigate. One of the most significant red flags, for example, is the detection of a legitimate tool or operation in an unusual location. Above all, defenders should bear in mind that while technology can accomplish a great deal, it may not be sufficient in today's threat environment. Human experience and responsiveness are critical components of every security solution.”

Additionally, the playbook discusses the strategies and methods that are most likely to indicate an active threat and require further study, as well as the earliest indications of attack, the most frequently seen stagers, threat forms, and malicious artifacts, and the most prevalent adversary groups seen.