Connect with us

Hi, what are you looking for?

White Papers

Telemetry logs missing in nearly 42% of the attack cases studied – Sophos

Gaps in telemetry decrease much-needed visibility into organizations’ networks and systems, especially since attacker dwell time (the time from initial access to detection) continues to decline, shortening the time defenders have to effectively respond to an incident.

Sophos, a player in innovating and delivering cybersecurity as a service, released its Active Adversary Report for Security Practitioners, which found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks. The report covers Incident Response (IR) cases that Sophos analyzed from January 2022 through the first half of 2023.

Gaps in telemetry decrease much-needed visibility into organizations’ networks and systems, especially since attacker dwell time (the time from initial access to detection) continues to decline, shortening the time defenders have to effectively respond to an incident.

“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain an attacker makes it, the bigger the headache for responders. Missing telemetry only adds time to remediations that most organizations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organizations don’t have the data they need,” said John Shier, field CTO, Sophos.

In the report, Sophos classifies ransomware attacks with a dwell time of less than or equal to five days as “fast attacks,” which accounted for 38% of the cases studied. “Slow” ransomware attacks are those with a dwell time greater than five days, which accounted for 62% of the cases.

Advertisement. Scroll to continue reading.

When examining these “fast” and “slow” ransomware attacks at a granular level, there was not much variation in the tools, techniques, and living-off-the-land binaries (LOLBins) that attackers deployed, suggesting defenders don’t need to reinvent their defensive strategies as dwell time shrinks. However, defenders do need to be aware that fast attacks and the lack of telemetry can hinder fast response times, leading to more destruction.

“Cybercriminals only innovate when they must, and only to the extent that it gets them to their target. Attackers aren’t going to change what’s working, even if they’re moving faster from access to detection. This is good news for organizations because they don’t have to radically change their defensive strategy as attackers speed up their timelines. The same defenses that detect fast attacks will apply to all attacks, regardless of speed. This includes complete telemetry, robust protections across everything, and ubiquitous monitoring,” said Shier. “The key is increasing friction whenever possible—if you make the attackers’ job harder, then you can add valuable time to respond, stretching out each stage of an attack.

“For example, in the case of a ransomware attack, if you have more friction, then you can delay the time until exfiltration; exfiltration often occurs just before detection and is often the costliest part of the attack. We saw this happen in two incidents of Cuba ransomware. One company (Company A) had continuous monitoring in place with MDR, so we were able to spot the malicious activity and halt the attack within hours to prevent any data from being stolen. Another company (Company B) didn’t have this friction; they didn’t spot the attack until a few weeks after initial access and after Cuba had already successfully exfiltrated 75 gigabytes of sensitive data. They then called in our IR team, and a month later, they were still trying to get back to business as usual.”

The Sophos Active Adversary Report for Security Practitioners is based on 232 Sophos Incident response (IR) cases across 25 sectors from Jan. 1, 2022, to June 30, 2023. Targeted organizations were located in 34 different countries across six continents. Eighty-three percent of cases came from organizations with fewer than 1,000 employees.

The Sophos Active Adversary Report for Security Practitioners provides actionable intelligence on how security practitioners should best shape their defensive strategy.

Advertisement. Scroll to continue reading.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

The all-cash transaction values Secureworks at approximately $859 million. With the completion of the acquisition, Secureworks’ common stock has ceased trading on Nasdaq. Sophos...

HEADLINES

Data privacy is more critical than ever, especially when social media platforms, AI chatbots and connected devices have increased publicly available digital footprints. This...

HEADLINES

Acting on reports about a suspicious message urging customers to click a malicious link to redeem ‘Smart points’, the telco quickly sprang into action...

HEADLINES

Likening the Converge network to a digital fortress, CISO Andrew T.  Malijan said that its battlements were strengthened in 2024 as it blocked a...

HEADLINES

ThinkShield Firmware Assurance is one of the only computer OEM solutions to enable deep visibility and protection below the operating system (OS) by embracing Zero...

HEADLINES

Kaspersky experts have uncovered a series of scams related to the growing demand, ranging from impersonating trusted brands to creating entirely fraudulent storefronts.

HEADLINES

This achievement highlights the increasing demand for Sophos’ proactive, expert-led security solutions, which help organizations of all sizes stay protected 24/7 against increasingly sophisticated...

HEADLINES

Trend's 2025 predictions report warns of the potential for malicious "digital twins," where breached/leaked personal information (PII) is used to train an LLM to...

Advertisement