Sophos, a leading cybersecurity company, has revealed that the dwell time for cyber attackers has decreased in the first half of 2023. Dwell time refers to the duration between the start of an attack and its detection. According to Sophos, the median dwell time for all attacks has decreased from 10 to 8 days. For ransomware attacks specifically, the dwell time has shrunk even further, from 10 to 5 days. This data indicates that organizations are becoming more efficient at detecting and responding to cyber threats.
In comparison to the previous year, 2022, the median dwell time has experienced a significant reduction. In 2022, the dwell time decreased from 15 to 10 days. Sophos’ findings demonstrate that organizations are making progress in their cybersecurity efforts, leading to faster detection and response times.
One of the most concerning findings from Sophos’ report is the amount of time attackers take to gain control of Active Directory (AD). AD is a critical asset for companies, as it manages identity and access to resources across an organization. Attackers can exploit AD to escalate their privileges and carry out malicious activities. The report states that, on average, it takes attackers less than a day, approximately 16 hours, to gain control of AD. This indicates that AD is a prime target for attackers due to its extensive access and privileges within a network.
John Shier, the field CTO at Sophos, explained why AD is an attractive target for attackers. He stated, “Attacking an organization’s Active Directory infrastructure makes sense from an offensive view. AD is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources, and data that attackers can exploit in their attacks.”
Once attackers have control of AD, they have the ability to remain undetected and plan their next moves. This extended access to an organization’s network allows them to carry out their attacks without obstacles. The recovery process from an Active Directory attack can be lengthy and burdensome, requiring security teams to rebuild the foundation of their infrastructure from scratch.
The report also highlighted the dwell time for ransomware attacks, which experienced a similar decrease. Ransomware attacks were the most prevalent type of attack analyzed in incident response cases, accounting for 69% of investigations. The median dwell time for ransomware attacks was only five days. Moreover, 81% of these attacks launched their final payload outside of regular working hours. This indicates that attackers strategically aim to deploy their attacks when there is less potential for immediate detection or response.
Interestingly, the report found that the number of attacks detected increased as the week progressed, with Fridays and Saturdays being the most common days for detection. This suggests that organizations may have stronger detection capabilities towards the end of the week, potentially due to increased vigilance and enhanced cybersecurity measures.
Shier emphasized that although detection times have improved, there is still work to be done to enhance overall cybersecurity. He stated, “Attackers are still getting into our networks, and when time isn’t pressing, they tend to linger. But all the tools in the world won’t save you if you’re not watching.” Continuous monitoring and proactive security measures are essential to outsmarting cybercriminals and closing the gap between attackers and defenders.
In conclusion, the dwell time for cyber attackers has decreased in the first half of 2023, indicating improved detection and response capabilities within organizations. Active Directory remains a prime target for attackers due to its extensive access and privileges. Ransomware attacks have also experienced shorter dwell times, with attackers strategically launching their attacks outside of regular working hours. However, organizations must remain vigilant and continuously monitor their networks to stay ahead of cyber threats.