A recent report by cybersecurity firm Sophos has revealed that the dwell time of cyber attacks has been reduced in ransomware cases. Dwell time refers to the duration between the launch of a cyber attack and its detection by the target. The study, titled “Active Adversary Report for Tech Leaders 2023,” analyzed incidents in the first half of 2023 and other time frames.
The research focused on ransomware attacks, which accounted for nearly 70% of all cyber attacks. Among these attacks, 81% were found to have their final payload launched after working hours. Additionally, it was discovered that most of the ransomware attacks that occurred during business hours were on weekends, with only a few attacks taking place on weekdays. The study also found that the number of cyber attacks increased as the week progressed, particularly in the case of ransomware attacks. Approximately 43% of ransomware attacks were detected on Fridays and Saturdays, allowing cybercriminals to target organizations with fewer employees present.
The research on cyber attack dwell time was powered by Sophos X-Ops, the company’s cross-domain threat intelligence tool. The study spanned 25 sectors and examined organizations based in 33 countries across six continents. It revealed that 88% of the cyber attack cases occurred in organizations with a workforce of fewer than 1,000 employees, indicating that cybercriminals often target smaller and more vulnerable targets.
The report showed that the median dwell time for all types of cyber attacks was reduced from 10 to eight days. When focusing specifically on ransomware attacks, the dwell time was further reduced to five days. Additionally, the research found that cybercriminals took approximately 16 hours to gain access to the Active Directory (AD), which is responsible for identity and access management within an organization. This allowed hackers to escalate privileges by logging in with employee credentials and accessing sensitive data.
Regarding the breach of the Active Directory, John Shier, Field CTO at Sophos, emphasized its critical nature. He stated that the Active Directory is often the most powerful and privileged system in a network, providing attackers with broad access to systems, applications, resources, and data. Once they gain access to the AD, adversaries have the advantage of being able to explore and collect data while remaining undetected. Shier warned that such an attack damages the foundation of an organization’s security infrastructure and can be time-consuming and complicated to recover from, often requiring starting from scratch.
In response to the reduced time frame for detecting attacks, Shier highlighted the benefits of Extended Detection and Response (XDR) and Managed Detection Response (MDR). However, he stressed that having the right tools alone is not enough and that continuous, proactive monitoring is essential to ensure that criminals have a worse day than the organization itself.
The report serves as a reminder to organizations of the ongoing threat posed by cybercriminals and the need for robust cybersecurity measures. As cyber attacks become more sophisticated and frequent, businesses must prioritize investing in effective detection and response solutions and maintaining constant vigilance to protect their critical systems and data.