Dwell times shrinking, threat actors moving faster & smarter: Sophos

According to a new (August 23, 2023) report by Sophos – “Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders” — the dwell time of cyber-attacks has fallen two days to a median of eight days in the first half of 2023, requiring a faster response from security teams.  

A frequent strategy used by ransomware gangs is to launch attacks outside of normal business hours when security staff are less available. Of the ransomware attacks analyzed, the final payload was launched outside of traditional working hours 81% of the time, while 43% of attacks were detected on either a Friday or Saturday.  

Researchers also observed that: attackers are moving faster to access Active Directory systems, averaging a quick 16 hours. Moreover, most AD servers are only protected by Microsoft Defender, which bad actors have become skilled at disabling – a technique that made up 43% of AD attacks, up from 36% in the previous year. AD access enables privilege escalation and lateral movement.

Emily Phelps, Director, Cyware had this comment:   

“Cybercriminals don’t take time off – at least not at the same time.” Adversaries are becoming more creative and collaborative, adapting to modern cybersecurity tactics. Overcoming people, data, and tech silos is critical to take defensive action faster. We need to automate and orchestrate threat intelligence into security operations so that the right people get the right information at the right time.”

David Ratner, CEO, HYAS follows with this:   

“With dwell time decreasing, the need for fast and efficient identification of anomalous activity has never been more important.  Early identification can be the critical difference between proactive business resiliency and reactive financial and reputational damage.  The visibility provided by Protective DNS solutions are recommended by CISA for a reason — they enable this early identification, and are increasingly more critical as criminals hone their playbooks and techniques.”

Finally David Mitchell, Chief Technical Officer, HYAS had this comment:    

“The escalation in timing for accessing Active Directory makes complete sense and is not surprising. Once they’ve gained access to all of the credentials, their ability to keep a foothold dramatically increases and makes ridding the attacker from the network much more difficult — especially without any internal interruptions.” 

This reinforces the need to rapid detection and response to any threats. Because the bad guys are more dangerous than ever, and moving faster than ever in order to pwn your organization.


One Response to “Dwell times shrinking, threat actors moving faster & smarter: Sophos”

Leave a Reply

%d bloggers like this: