More than 80% of the incidents Sophos responded to last year involved ransomware, according to the vendor's new report released Tuesday.
The report, titled "The Active Adversary Playbook 2021," is the first of its kind for Sophos, and covers attack techniques seen by the company in 2020 and through the beginning of 2021. The report's data is based on 81 incidents that the vendor responded to, as well as internal telemetry. Data points presented by the report covered a wide range of areas, from dwell time to the use of remote desktop protocol (RDP) and beyond.
The report said that 81% of attacks that Sophos responded during the time frame featured ransomware. While the percentage is high, the authors of the report noted that the figure is unsurprising because ransomware activation is often when intrusions first become visible to a security team. "Ransomware attacks tend to have shorter dwell time than 'stealth' attacks, because they are all about destruction," the report said.
John Shier, senior security advisor for Sophos and one of the co-authors of the report, told SearchSecurity that an important figure to accompany that ransomware percentage is one involving dwell time, which is the amount of time threat actors can operate inside a victim's environment without being detected.
"The median dwell time for the attacks in the report was 11 days, which for an attacker is an eternity," Shier said. "That means the attackers were able to take their time to fully penetrate the victims and orchestrate their attack. This also means that some victims had an opportunity to detect and block the attack had they been instrumented to do so. It's important that organizations of all sizes assess their ability to detect and investigate events occurring inside their networks and seek help if they're not able to act on the information in a timely manner."
The longest recorded dwell time recorded by Sophos for an incident in the report was 439 days -- well over a year.
Sophos released the report during RSA Conference 2021, where the endpoint security vendor will be presenting on AI technology that can improve detection of threats like novel spam.
Shier added that there were other attacks neutralized by Sophos that didn't result in a ransomware attack, but could have if given the chance.
Another key stat focused on RDP. Namely, 69% of attacks used RDP -- the protocol that allows for remote access on another computer -- in order to gain lateral movement within a network.
Shier said that the abuse of RDP itself isn't surprising, and that the extent of this continued abuse "makes a lot of sense."
"RDP is one of those technologies that is largely unrestricted inside many networks," he said. "One of our jobs as defenders is to make the lives of adversaries much more difficult. To that end, restricting the use of technologies like RDP should be a priority. It might be inconvenient and require a change to how you do business, but it will be worth it if it means you've made it harder for an attacker to move around your network and access your most sensitive data."
The vendor has seen various examples of credential abuse, Shier said, including brute-forcing, credential stuffing and instances where attackers "waltzed right into the network with valid credentials, which suggest that they were either acquired through phishing or bought from an initial access broker."
As for other notable findings in the report, 54% of attacks involved unprotected systems, 17% of attacks involved the public leaking of victim data and 27% involved known instances of data theft or exfiltration.
Asked about the most surprising finding in the report, Shier again cited dwell time.
"Frankly, the amount of time some attackers spend inside a victim's network was the most surprising. The average dwell time for all cases was 40 days because of several outliers where the attackers spent 6 months or more inside a victim's network," he said. "This means that many organizations need to improve their ability to investigate suspicious activity inside their networks before they turn into damaging attacks. Just because a threat was blocked doesn't mean that the job is done. In many cases, it means you need to dig deeper and find out if this is an isolated event or part of a larger, yet undiscovered and ongoing attack."
Alexander Culafi is a writer, journalist and podcaster based in Boston.