FE Today Logo

Cybercriminals wipe out traces in 82pc cases: Study

FE REPORT | November 23, 2023 00:00:00

Cybercriminals wipe out their traces in their 82-percent cases of online offence, according to a latest study.

Sophos, a global leader in innovating and delivering cybersecurity as a service, recently released its Active Adversary Report for Security Practitioners, has found that cybercriminals disabled or wiped out the telemetry to hide their tracks in 82 per cent of their analysed cases.

The report covers Incident Response (IR) cases that Sophos analysed from January 2022 through the first half of 2023.

Gaps in telemetry decrease much-needed visibility into organisations' networks and systems, especially since attacker's dwell time (the time from initial access to detection) continues to decline, shortening the time defenders have to effectively respond to an incident.

In the report, Sophos classified ransomware attacks with a dwell time of less than or equal to five days as "fast attacks", which accounted for 38 per cent of the cases studied.

"Slow" ransomware attacks are those with a dwell time greater than five days, which accounted for 62 per cent of the cases.

When examining these "fast" and "slow" ransomware attacks at a granular level, there was not much variation in the tools, techniques, and living-off-the-land binaries (LOLBins) that attackers deployed, suggesting defenders don't need to reinvent their defensive strategies as dwell time shrinks.

However, defenders do need to be aware that fast attacks and the lack of telemetry can hinder fast response times, leading to more destruction.

"Cybercriminals only innovate when they must, and only to the extent that it gets them to their target. Attackers aren't going to change what's working, even if they're moving faster from access to detection," says the study report.

This is good news for organisations because they don't have to radically change their defensive strategy as attackers speed up their timelines. The same defences that detect fast attacks will apply to all attacks, regardless of speed.

This includes complete telemetry, robust protections across everything, and ubiquitous monitoring," said John Shier, Field CTO Commercial.

The Sophos Active Adversary Report for Security Practitioners is based on 232 Sophos Incident response (IR) cases across 25 sectors from January 1, 2022 to June 30, 2023.

Targeted organisations were located in 34 different countries across six continents. Eighty-three per cent of cases came from organisations with fewer than 1,000 employees.

[email protected]

Share if you like