Sophos Says That Threat Actors Were In Government Agency Computers Long Before They Launched Attacks

Security researchers at Sophos have found that threat actors spent more than five months on government agency computers remotely googling for tools from the target’s machines. Behavioral log data from regional US government agency’s suggests that two or more threat groups were active before a final group deployed Lockbit ransomware payloads earlier this year. That basically means that they’ve been hanging around inside an environment undetected before launching an attack.

Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“One of the biggest enemies of any security operations teams is threat actor dwell time. On average this is over 250 days, which is the time between when a threat actor has bypassed your defenses and is roaming inside the castle walls off the radar and moving about freely, to when they are found and removed from the “grounds”. Threat actors use different tactics and techniques stretched out over weeks or months to hide their activity from traditional SIEM and XDR tools that are rooted in identifying patterns over short periods of time. Manually being able to piece together seemingly disparate indicators of compromise over weeks or months is virtually impossible for a security team and most current solutions struggle to provide the necessary. In addition, behavioral log data is only useful for post-breach once the damage is already done. Organizations must look to add more advanced tools that link disparate events over time using analytics and adaptive and trained machine learning models, not just simple correlation, or rule-based fixed machine learning. In addition, included threat content (sadly most companies charge for out-of-the-box automated threat detection), network traffic analysis to identify unauthorized external communications, and real-time user and entity behavior baselining and analytics can be used to reveal how anomalous behaviors are actual security threats associated with an attack campaign. This changes the game to enabling security teams to be proactive versus reactive.”

This underscores that organizations need to not only keep the bad guys out, but they also need to be able to detect the bad guys if they should get in. Because both are important to avoid your organization getting pwned by threat actors.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: