Cybercriminals remain unnoticed in the corporate network for longer and longer periods of time

Sophos has published its "Active Adversary Playbook 2022". It details the behavior of cybercriminals observed by Sophos's rapid response team in 2021. The research shows a 36 percent increase in the time cybercriminals spend on corporate networks. The average undetected stay on the network without a major attack such as ransomware is 34 days.  The report also highlights the impact of ProxyShell vulnerabilities in Microsoft Exchange, which Sophos says have been exploited by some initial access brokers (IABs) to penetrate networks and then sell access to other cybergangsters.

"The world of cybercrime has become incredibly diverse and specialized," said John Shier, senior security advisor at Sophos. "Initial access brokers (IABs) have developed their own cybercrime industry by penetrating a target, scouting it or installing a backdoor, and then selling turnkey access to ransomware gangs for their own attacks. In this increasingly dynamic and specialized cyber threat landscape, it can be difficult for organizations to keep up with the attackers' ever-changing tools and methods. It's important that they know what to look for at each stage of the attack chain so they can detect and neutralize attacks as quickly as possible."

Dwell time longer in smaller businesses and education sector
Sophos's research also shows that attackers stayed longer in smaller companies than in larger ones. Cybercriminals stayed in companies with up to 250 employees for about 51 days. In comparison, they typically spent "only" 20 days in companies with 3,000 to 5,000 employees. Ransomware attacks represent a special case. Here, the criminals act "faster" overall, but here, too, the undetected stay in the network increased from 11 days in 2020 to 15 days in 2021.

Larger companies 'more valuable' to cybercriminals, jostling for network space
"Attackers consider larger organizations more valuable and are therefore more motivated to get in quickly and get out quickly. Smaller organizations have less `value,' so intruders can afford to linger longer in the background on the network. However, it is also possible that these attackers have less experience and therefore spend more time on the network scouting. Smaller organizations also tend to have less visibility into the attack chain to detect and dispel attacks. This also prolongs the attackers' presence," Shier said. "With the opportunities presented by unpatched ProxyLogon and ProxyShell vulnerabilities, and the emergence of IABs, we are increasingly seeing multiple attackers being on the same target network. When things get tight there, they want to move quickly to get ahead of their competitors."

The average dwell time to detection was longer for "stealthy" attacks that had not evolved into a larger attack like ransomware, and for smaller organizations with fewer IT security resources. The average dwell time for attackers in organizations affected by ransomware was 15 days. At Organizations that were breached but not yet affected by a major attack such as ransomware (23 percent of all cases studied) had an average dwell time of 34 days. For organizations in the education sector or with fewer than 500 employees, the dwell time was also longer.

Longer dwell times and open entry points leave organizations vulnerable to multiple attackers. Sophos forensics uncovered cases where multiple attackers, including IABs, ransomware gangs, cryptominer, and occasionally even multiple ransomware groups, targeted the same organization simultaneously.

Despite a decline in the use of Remote Desktop Protocol (RDP) for external access, attackers increasingly used the tool for network creep. In 2020, attackers used RDP for external activity in 32 percent of the cases analyzed. That percentage dropped to 13 percent in 2021, and while this change is welcome and indicates that organizations have improved their management of external attack surfaces, attackers are still abusing RDP for internal lateral movement. Sophos found that attackers used RDP for internal network reconnaissance 82 percent of the time in 2021, up from 69 percent in 2020.

Common tool combinations used in attacks are a clear warning sign of cyber attacks. For example, incident investigations found that PowerShell and malicious non-PowerShell scripts were used together 64 percent of the time in 2021. PowerShell and Cobalt Strike were combined 56 percent of the time, and Sophos researchers found PowerShell and PsExec combined 51 percent of the time. Detecting such correlations can serve as an early warning of an impending attack or confirm the presence of an active attack.

Fifty percent of ransomware incidents involved confirmed data exfiltration. In the available data, the average interval between data theft and ransomware deployment was 4.28 days. 73 percent of the incidents Sophos responded to in 2021 involved ransomware. Of these ransomware incidents, 50 percent also involved data exfiltration. This data movement is often the final phase of the attack before the ransomware is released.

Conti was the most common ransomware group in 2021, accounting for 18 percent of all incidents. REvil ransomware accounted for one in ten incidents. Other common ransomware families include DarkSide (the RaaS behind the infamous Colonial Pipeline attack in the U.S.) and Black KingDom, one of the "new" groups that emerged in March 2021 in the wake of the ProxyLogon vulnerability. Among the 144 incidents included in the analysis, Sophos identified 41 different ransomware attackers. Of these, 28 were new actors first spotted in 2021. Eighteen ransomware groups that appeared in incidents in 2020 were no longer on the list in 2021.

The Sophos Active Adversary Playbook 2022 is based on 144 incidents from 2021 that targeted companies of all sizes and industries in the United States, Canada, the United Kingdom, Germany, Italy, Spain, France, Switzerland, Belgium, the Netherlands, Austria, the United Arab Emirates, Saudi Arabia, the Philippines, the Bahamas, Angola and Japan. The most represented sectors are manufacturing (17 percent), followed by retail (14 percent), healthcare (13 percent), IT (9 percent), construction (8 percent) and education (6 percent).

Concrete benefits for the IT security industry
The goal of the Sophos report is for security teams to understand how cyber criminals go about attacking and how they can detect and defend against malicious activity on the network. One result of this research is the increasing establishment of so-called IT security ecosystems - a strategy that Sophos is also implementing with its Adaptive Cybersecurity Ecosystem (ACE). It is based on collected threat data from SophosLabs, Sophos Security Operations (human analysts embedded in thousands of customer environments through the Sophos Managed Threat Response program) and Sophos Artificial Intelligence (AI). A single, integrated data lake aggregates information from all solutions and threat intelligence sources. Real-time analytics enable defenders to prevent intrusions by finding suspicious signals. In parallel, open APIs enable customers, partners and developers to build tools and solutions that interact with the system. Everything is centrally managed through the Sophos Central Management platform.