Obviously, it's always too long. But it turns out that hackers find a way to sneak around networks undetected for much longer than you might think.
According to UK security firm Sophos, attackers stay in corporate networks for an average of 11 days after entering a target network, before being detected. And often, when they're spotted, it's because they've deployed ransomware. As Sophos researchers note in a new report , this is more than enough time for an attacker to gain a full picture of what a target network looks like, its weaknesses, and for attackers to ransomware destroys or cripples it.
Sophos data, based on customer incident responses, suggests a much shorter "dwell time" for attackers than recently released data from FireEye's incident response team, Mandiant. Mandiant indicated that the median time to detection was 24 days which was already an improvement over previous years.
RDP, a touchstone for attackers
Sophos explains the relatively short duration by the fact that 81% of the incidents it has helped customers with involved ransomware, a noisy attack that immediately sets off alarm bells in technical departments. So, while shorter timelines may indicate an improvement in security posture, it could also be simply because file encryption ransomware is a more disruptive attack than data theft.
“To put it in context, 11 days potentially gives attackers around 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data infiltration, etc. Considering that some of these activities only take a few minutes or hours to implement, 11 days gives attackers plenty of time to do damage, ”Sophos notes in its Active Adversary Playbook 2021 report.
The vast majority of incidents Sophos responded to were ransomware attacks, suggesting the scale of the problem. Other attacks include data theft, crypto currency mining, banking Trojans, data erasers, and the use of penetration testing tools like Cobalt Strike.
Another notable point is the widespread use by attackers of the Remote Desktop Protocol (RDP): around 30% of attacks start with RDP and 69% of subsequent activities are carried out with it. Phishing, on the other hand, was the entry point for only 12% of attacks.
The growth of DarkSide
Attacks against RDP devices have long been used to launch ransomware attacks and are much more common than exploits against VPNs. Several security companies have ranked RDP as the main intrusion vector for ransomware incidents in 2020. Security company ESET reported that remote working saw an almost 800% peak in RDP attacks in 2020.
“RDP played a role in 90% of the attacks. However, the way in which the attackers used RDP is worth noting. In incidents involving RDP, it was only used for external access in 4% of cases. About a quarter (28%) of attacks showed that attackers used RDP for both external access and internal movement, while in 41% of cases RDP was used only for internal lateral movement within the breast. network, ”note the Sophos researchers.
Sophos has also compiled a list of the most observed ransomware groups. DarkSide, a recent but successful ransomware service provider that started operations in mid-2020, accounted for only 3% of the cases investigated by Sophos through 2020. It is in the spotlight in due to the attack on Colonial Pipeline, which paid the group $ 4.4 million.
DarkSide offers its ransomware as-a-service to other criminal groups who use it. This is the case with REvil. REvil is in the limelight because of its attacks on, for example, the French pharmaceutical company Pierre Fabre.
According to Sophos, REvil (aka Sodinokibi) was the most active cybercriminal group in 2020 along with Ryuk. By some estimates, it earned $ 150 million from ransomware in 2020. Other significant ransomware includes Dharma, Maze (no longer in use), Ragnarok, and Netwalker (no longer in use).
Last week, US President Joe Biden said he discussed the Colonial Pipeline ransomware attack with Moscow and suggested that Russia take "decisive action" against these attackers. The United States believes DarkSide is based in Russia but not linked to the Russian government. “We have been in direct communication with Moscow regarding the imperative for the countries responsible to take decisive action against these ransomware networks,” President Biden said on May 13.