81{d11068cee6a5c14bc1230e191cd2ec553067ecb641ed9b4e647acef6cc316fdd} of attacks last year involved ransomware

A lot more than eighty{d11068cee6a5c14bc1230e191cd2ec553067ecb641ed9b4e647acef6cc316fdd} of the incidents Sophos responded to very last calendar year associated ransomware, according to the vendor’s new report introduced Tuesday.

The report, titled “The Active Adversary Playbook 2021,” is the initially of its form for Sophos, and covers attack strategies seen by the firm in 2020 and by way of the starting of 2021. The report’s data is primarily based on 81 incidents that the vendor responded to, as well as internal telemetry. Data points presented by the report included a large variety of spots, from dwell time to the use of distant desktop protocol (RDP) and outside of.

The report reported that 81{d11068cee6a5c14bc1230e191cd2ec553067ecb641ed9b4e647acef6cc316fdd} of attacks that Sophos responded all through the time frame highlighted ransomware. Although the percentage is superior, the authors of the report pointed out that the figure is unsurprising for the reason that ransomware activation is normally when intrusions initially develop into visible to a stability crew. “Ransomware attacks tend to have shorter dwell time than ‘stealth’ attacks, for the reason that they are all about destruction,” the report reported.

John Shier, senior stability advisor for Sophos and 1 of the co-authors of the report, informed SearchSecurity that an critical figure to accompany that ransomware percentage is 1 involving dwell time, which is the amount of time danger actors can work within a victim’s ecosystem without having remaining detected.

“The median dwell time for the attacks in the report was 11 days, which for an attacker is an eternity,” Shier reported. “That indicates the attackers ended up in a position to acquire their time to absolutely penetrate the victims and orchestrate their attack. This also indicates that some victims had an option to detect and block the attack had they been instrumented to do so. It’s critical that companies of all sizes assess their capacity to detect and investigate activities taking place within their networks and seek support if they’re not in a position to act on the details in a timely fashion.”

The longest recorded dwell time recorded by Sophos for an incident in the report was 439 days — well around a calendar year.

Sophos introduced the report all through RSA Conference 2021, the place the endpoint stability vendor will be presenting on AI technological innovation that can make improvements to detection of threats like novel spam.

Shier extra that there ended up other attacks neutralized by Sophos that did not final result in a ransomware attack, but could have if presented the probability.

A further critical stat centered on RDP. Specifically, sixty nine{d11068cee6a5c14bc1230e191cd2ec553067ecb641ed9b4e647acef6cc316fdd} of attacks utilized RDP — the protocol that will allow for distant obtain on a different laptop or computer — in order to obtain lateral movement within just a network.

Shier reported that the abuse of RDP itself just isn’t stunning, and that the extent of this continued abuse “tends to make a large amount of sense.”

“RDP is 1 of all those technologies that is mainly unrestricted within a lot of networks,” he reported. “A person of our employment as defenders is to make the life of adversaries significantly more hard. To that finish, proscribing the use of technologies like RDP must be a priority. It may possibly be inconvenient and involve a improve to how you do enterprise, but it will be really worth it if it indicates you’ve made it tougher for an attacker to move all-around your network and obtain your most delicate data.”

The vendor has seen different examples of credential abuse, Shier reported, together with brute-forcing, credential stuffing and situations the place attackers “waltzed proper into the network with legitimate qualifications, which counsel that they ended up both acquired by way of phishing or purchased from an initial obtain broker.”

As for other noteworthy findings in the report, fifty four{d11068cee6a5c14bc1230e191cd2ec553067ecb641ed9b4e647acef6cc316fdd} of attacks associated unprotected techniques, seventeen{d11068cee6a5c14bc1230e191cd2ec553067ecb641ed9b4e647acef6cc316fdd} of attacks associated the public leaking of victim data and 27{d11068cee6a5c14bc1230e191cd2ec553067ecb641ed9b4e647acef6cc316fdd} associated identified situations of data theft or exfiltration.

Asked about the most stunning acquiring in the report, Shier all over again cited dwell time.

“Frankly, the amount of time some attackers devote within a victim’s network was the most stunning. The typical dwell time for all scenarios was 40 days for the reason that of many outliers the place the attackers expended six months or more within a victim’s network,” he reported. “This indicates that a lot of companies want to make improvements to their capacity to investigate suspicious exercise within their networks in advance of they switch into harmful attacks. Just for the reason that a danger was blocked isn’t going to imply that the career is performed. In a lot of scenarios, it indicates you want to dig further and uncover out if this is an isolated occasion or portion of a greater, still undiscovered and ongoing attack.”

Alexander Culafi is a author, journalist and podcaster primarily based in Boston.