Cyber criminals increasingly longer unnoticed in the corporate network

Cybercriminals spend longer and longer unnoticed in the corporate network

Sophos has published its "Active Adversary Playbook 2022" report. It describes in detail the behaviour of cybercriminals observed by the Rapid Response Team Sophos has observed in 2021. The research shows an increase in the time cybercriminals spend in corporate networks by 36 percent. The average undetected network without a major attack such as ransomware is 34 days. The report also shows the impact of the ProxyShell vulnerabilities in Microsoft Exchange, which Sophos says are being exploited by some by a number of initial access brokers (IABs) to penetrate networks and then and then sell access to other cybercriminals.

"The world of cybercrime has become incredibly diverse and specialised," says John Shier, senior security advisor at Sophos. "Initial access brokers (IABs) have developed their own cybercrime industry industry by penetrating a target, scouting it out or installing a backdoor, and then backdoor and then providing turnkey access to Ransomware gangs for their own attacks. In this increasingly dynamic and specialised cyber threat landscape, it can be difficult for organisations to keep up with the ever-changing tools and methods of attackers. of the attackers. It is important that they know what to at each stage of the attack chain, so they can detect and neutralise attacks as quickly and neutralise them as quickly as possible."

Staying power longer in smaller businesses and the education sector
Sophos's research also shows that the dwell time of attackers was longer in smaller companies than in larger ones. The cybercriminals stayed in companies with up to 250 employees for for about 51 days. In comparison, in companies with 3,000 to 5,000 employees, they typically spent to 5,000 employees, they generally spent "only" 20 days. Ransomware attacks represent a special case. Here, the criminals act altogether "faster" overall, but here, too, the undetected stay in the network increased from 11 days in 2020 to 15 days in 2021.

Larger companies more "valuable"for cybercriminals , jostling for space on the network
"Attackers consider larger organisations to be more valuable and are therefore motivated to get in quickly and get out quickly. disappear. Smaller organisations have a lower `value', so that intruders can afford to stay longer in the background on the network. network. However, it is also possible that these attackers have less experience and therefore spend more time on the network scouting. Smaller companies also tend to have have less insight into the attack chain to detect and dispel attacks. dispel them. This also prolongs the attackers' presence," Shier said. "With the opportunities presented by unpatched ProxyLogon and ProxyShell vulnerabilities, and the emergence of IABs, we are seeing multiple attackers on the same target network," he added. network. When things get tight there, they want to move quickly to get ahead of their competitors to emerge."

The average dwell time until detection was longer for "stealth" attacks that had not evolved into a major attack such as ransomware, and for smaller organisations with fewer IT security resources. The average dwell time of attackers in organisations that had been hit by ransomware was 15 days. For organisations that had been breached but not yet affected by a attack such as ransomware (23 per cent of all cases examined), the average cases), the average dwell time was 34 days. For organisations in the education sector or with fewer than 500 employees, the dwell time was also longer. was also longer.

Longer dwell times and open entry points make organisations vulnerable to multiple attackers. Sophos forensic experts uncovered cases where multiple attackers, including IABs, Ransomware-Banden, cryptominer, and occasionally even multiple ransomware groups, targeted the same organisation at the same time. targeted the same organisation

Despite a decline in the use of the Remote Desktop Protocol (RDP) for external access, attackers increasingly used the tool for network increasingly used the tool to sneak into the network. In 2020, attackers used RDP for external activities in 32 per cent of the cases analysed. This share This change is to be welcomed and suggests that companies are and suggests that organisations have improved their management of external attack surfaces, attackers are attack surfaces, but attackers are still abusing RDP for internal lateral movements. Sophos found that in 2021, attackers will use RDP 82 percent of the time for internal network reconnaissance, up from 69 percent in Jahr 2020.

Common combinations of tools used in attacks are a clear warning sign of cyber attacks. The incident investigations revealed, for example, that in 2021, 64 per cent of PowerShell and malicious non-PowerShell scripts were used together in 64 per cent of the were used together. PowerShell and Cobalt Strike were used in 56 per cent of cases. PowerShell and PsExec were found in combination 51 percent of the time. of the cases. The detection of such correlations can serve as an early warning of an impending attack or confirm the presence of an active attack. of an active attack.

50 per cent of the ransomware incidents involved confirmed data exfiltration. confirmed data exfiltration. For the available data, the the average interval between data theft and the use of ransomware was 4.28 days. ransomware was 4.28 days. 73 per cent of the incidents Sophos responded to in 2021 involved ransomware. Of these ransomware incidents, 50 percent also involved percent also involved data exfiltration. This data movement is often the final phase of the attack before the ransomware is released.

Conti was the most common ransomware group in 2021, accounting for 18 per cent of all incidents. Ransomware group. The REvil ransomware accounted for one in ten incidents. Other common ransomware families include. DarkSide (the RaaS behind the infamous Colonial Pipeline attack in the US) and Black KingDom, one of the "new" groups that emerged in March 2021 in the wake of the ProxyLogon vulnerability emerged. Of the 144 incidents included in the analysis Sophos identified 41 different ransomware attackers. Of these 28 were new actors first spotted in 2021. Eighteen Ransomware groups that appeared in incidents in 2020 were no longer on the list in 2021. on the list in 2021.

The Sophos Active Adversary Playbook 2022 is based on. 144 incidents from 2021, targeting businesses of all sizes and industries in the US, Canada, UK, Germany, Italy, Spain, France, Switzerland, Belgium, the Netherlands, Austria, the United Arab Emirates, Saudi Arabia, the United Kingdom, and the United Kingdom. Emirates, Saudi Arabia, the Philippines, the Bahamas, Angola and Japan. targeted. The sectors with the highest representation are manufacturing (17 per cent), followed by retail (14 per cent), health care (13 per cent) (13 per cent), IT (9 per cent), construction (8 per cent) and education (6 per cent). (6 percent).

Concrete benefits for the IT security industry
The goal of the Sophos report is for security teams to understand how how cyber criminals attack and how to detect and defend against malicious activity on the and how to detect and defend against malicious activity on the network. One result of these investigations is the increasing establishment of so-called IT security ecosystems - a strategy that Sophos is also implementing this strategy with its Adaptive Cybersecurity Ecosystem (ACE). It is based on the collected threat data from SophosLabs, Sophos Security Operations (human analysts involved in thousands of customer environments through the Sophos Managed Threat customer environments through the Sophos Managed Threat Response program) and Sophos's Artificial Sophos. A single, integrated data lake brings together information from all of Sophos's solutions and threat intelligence sources. Real-time analytics enable defenders to prevent intrusions by finding suspicious signals. signals. In parallel, open APIs enable customers, partners and developers to develop tools and solutions that interact with the system. Everything is centrally managed via the Sophos Central Management platform.