The median dwell time – the time in between an attacker accessing their victim’s systems and the attack being detected or executed – has dropped significantly, falling from 10 to eight days between January and July 2023, having fallen by five days from 15 to 10 during 2022 after a sharp rise in 2021.
This is according to data drawn from Sophos X-Ops incident response (IR) cases, which has today been released in the firm’s Active adversary report for tech leaders 2023.
The headline statistic could be taken as good news, as a sign that detection capabilities among end-user security teams are improving, but on the flip side, it could also reflect increasingly well-organised, technically adept and operationally efficient threat actors who know what they want and how to get it.
Indeed, X-Ops found that attackers now take approximately 16 hours to reach their victims’ critical Active Directory (AD) assets. Such assets typically manage identity and access to organisational resources, making them a goldmine for threat actors seeking to escalate their privileges, as Sophos field chief technology officer John Shier explained.
“Attacking an organisation’s Active Directory infrastructure makes sense from an offensive view,” he said. “AD is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources and data that attackers can exploit in their attacks. When an attacker controls AD, they can control the organisation. The impact, escalation, and recovery overhead of an Active Directory attack is why it’s targeted.
“Getting to and gaining control of the Active Directory server in the attack chain provides adversaries with several advantages. They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim’s network unimpeded.
“Full recovery from a domain compromise can be a lengthy and arduous effort,” said Shier. “Such an attack damages the foundation of security upon which an organisation’s infrastructure relies. Very often, a successful AD attack means a security team has to start from scratch.”
No ransomware locker
The report also reveals that in the case of ransomware attacks, the median dwell time is now down to five days, which may be linked to the growth in ransomware attacks in which no ransomware locker is deployed, such as Clop’s recent campaign against Progress Software’s MOVEit tool.
Ransomware attacks were the most prevalent type of attack in the IR cases the X-Ops team worked on, accounting for 69% of engagements. Shier, however, noted that, setting aside known ransomware incidents, a significant number of attacks appeared to be network breaches that consisted of an intrusion but with no clear motive, raising the question: how many of those were actually thwarted ransomware attacks.
“We were able to identify several attacks that were perpetrated by Cuba and Vice Society, both infamous ransomware purveyors, but crucially those attacks never reached the ransomware stage,” wrote Shier.
“The lesson here for business leadership is that prompt action can break even a tried-and-true attack chain such as that used by ransomware; in the case of a number of these incidents, that’s likely what happened.”
Reflecting a long-observed but generally unquantified trend among threat actors of executing ransomware on weekends or public holidays – such as in the 4 July 2021 Kaseya incident – Sophos revealed that in 81% of the observed ransomware attacks, the final payload was detonated outside of working hours, and of those that were deployed during working hours, only five took place on a weekday.
The number of attacks detected in X-Ops’ telemetry generally increased as the week progressed, with 43% of ransomware attacks detected on a Friday or Saturday, when security teams are either winding down for the weekend or out of the office entirely.
“Victims of our own success”
Summing up, Shier warned that in some ways, security teams have become “victims of our own success”.
“As adoption of technologies like XDR and services such as MDR grows, so does our ability to detect attacks sooner,” he said. “Lowering detection times leads to a faster response, which translates to a shorter operating window for attackers.
“At the same time, criminals have been honing their playbooks, especially the experienced and well-resourced ransomware affiliates, who continue to speed up their noisy attacks in the face of improved defences,” said Shier.
“But it doesn’t mean we’re collectively more secure,” he added. “This is evidenced by the levelling off of non-ransomware dwell times. Attackers are still getting into our networks, and when time isn’t pressing, they tend to linger.
“But all the tools in the world won’t save you if you’re not watching.”