The chase to catch cybercriminals just got speedier suggested a new report. Highlighting the median cyber attack dwell time, it was found that this duration has been reduced in ransomware cases. Dwell time in a cyber attack is the time taken from when a cyber attack is launched to its detection by the target.
When Hackers Launched Cyber Attacks
In an Active Adversary Report for Tech Leaders 2023, Sophos which specializes in Managed Detection and Response and incident response made some very informative revelations. The research tested incidents in the first half of 2023 and other time frames.
They analyzed ransomware attacks which accounted for nearly 70% of all attacks. Of these ransomware attacks, 81% of the attacks had the final payload launched after working hours. Although the remaining ransomware attacks were launched during business hours, it was found that most of them were on weekends.
Only five of the business hour ransomware attacks were launched on weekdays. There were more cyber attacks launched as the week progressed especially in the case of ransomware. Nearly 43% of ransomware attacks were detected on Fridays and Saturdays. This enabled the cybercriminals to deal with fewer employees.
Cyber Attack Dwell Time
The research on cyber attack dwell time among others was powered by Sophos X-Ops, the company’s cross-domain threat intelligence which gauged the dwell time of various forms of cyber attacks. It spanned 25 sectors with organizations based in 33 countries across six continents.
88% of all the cases were witnessed in organizations with a workforce lower than 1,000 employees highlighting the mindset of cybercriminals that look for more vulnerable targets.
The results for cyber attack dwell time or Time to Detect (TTD) were as follows –
- The median attacker dwell time was reduced from 10 to eight days for all types of cyber attacks.
- The dwell time for ransomware attacks was reduced to five days.
- Cybercriminals took approximately 16 hours to gain access to the Active Directory (AD) which often takes care of identity and access management in an organization. This opens the path for hackers to escalate privileges by logging in with employee credentials and other data.
Active Directory Exploitation
Responding to the critical nature of the Active Directory breach, John Shier, Field CTO at Sophos stated, “Active Directory is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources, and data that attackers can exploit in their attacks.”
Adding on to the above statements, Shier said that adversaries gain several advantages after accessing the AD. They can use the access to surf and check all the stored data they can while being undetected.
“They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim’s network unimpeded…. Such an attack damages the foundation of security upon which an organization’s infrastructure relies,” Shier added.
While recovering from an AD attack can be time-consuming and complicated, it often leaves the security with no option but to start from scratch.
Addressing the reduced time frame in detecting attacks, Shier reiterated the benefits of Extended Detection and Response (XDR) and Managed Detection Response (MDR). However, this also was witnessed with threat actors speeding up their business with improved defenses.
“But all the tools in the world won’t save you if you’re not watching. It takes both the right tools and continuous, proactive monitoring to ensure that criminals have a worse day than you do,” stated Shier emphasizing the consistent detecting capabilities of MDR which monitors even when we are not.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
