Cybersecurity requires more effort as the median attacker dwell time before detection was 11 days, said Sophos recently when releasing its Active Adversary Playbook 2021.
In 11 days or 264 hours, there’s ample time for malicious activities, such as lateral movement, reconnaissance, credential dumping, and data exfiltration to take place, the firm added.
- 90% of attacks seen involved the use of the Remote Desktop Protocol (RDP) – and in 69% of all cases, attackers used RDP for internal lateral movement.
- Security measures for RDP, such a VPNs and multi-factor authentication tend to focus on protecting external access. However, these don’t work if the attacker is already inside the network.
- Interesting correlations emerge among the top five tools found in victim networks. Such correlations are important because their detection can serve as an early warning of an impending attack or confirm the presence of an active attack。
- Ransomware was involved in 81% of the attacks Sophos investigated.
- The release of ransomware is often the point at which an attack becomes visible to an IT security team. Thus, it’s not surprising that the vast majority of the incidents Sophos responded to involved ransomware.
With adversaries spending a median of 11 days in the network, implementing their attack while blending in with routine IT activity, it’s critical that cybersecurity defenders understand the warning signs to look out for and investigate, Sophos said.
One of the biggest red flags is when a legitimate tool or activity is detected in an unexpected place, the company noted.
While defenders should remember that technology can do a great deal but it might not be enough for protection in today’s threat landscape, said Sophos, adding that human experience and the ability to respond are a vital part of any security solution.