Cybercriminals Spend 11 Days On Average Embedded Within Vulnerable Networks Before Attacking
After a cybercriminal manages to breach a network, it is not all about immediately attacking the target. New research shows that these black hat hackers may lie dormant or lurk on a network for around 250 hours on average before an attack kicks off or they are detected. This means that organizations should know that the clock is always ticking to quarantine a problem before it turns into a nightmare, like the recent Colonial Pipeline attack.
Defending an organization from cyberattacks is no small feat when the threat constantly adapts to new evasion techniques and evolves the attack toolset. Generally, these adversaries like to try and stay one step ahead of the security team and often are; however, the tables can turn when companies invest in solving the problem adequately. Moreover, when research like what is done by cybersecurity company Sophos is published, more people know what to look for, thus making companies safer.
The cybersecurity research recently released by Sophos, titled “The Active Adversary Playbook 2021,” outlines “attacker behavior and impact as well as the tactics, techniques, and procedures (TTPs) seen in the wild by Sophos’ frontline threat hunters and incident responders.” This research includes the top five techniques observed in 2020 and 2021 for tactics such as initial access, persistence, privilege escalation, and more.
Furthermore, Sophos describes what they call the “anatomy of an active attack,” where they found that attackers remain on a target network for 11 days on average before detection or attack. However, the longest time a hacker was found to be on a network was over 15 months. In either case, the extended timeframe could allow quite a bit of malicious activity, “such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more.” This time would also allow an attacker to affect as many devices as possible before setting off an attack, which would be especially good if ransomware was implemented, as in 81% of observed attacks.
Besides the tactics, Sophos also looked at the tools that an attacker would use, and the Sophos team drew some interesting conclusions from this information. Several tools have legitimate uses, but when found and used together, they could be malicious. This could be akin to having lockpicking tools, where it is perfectly fine to have a bobby pin, but when you are walking around at night with a bobby pin, screwdriver, and ski mask, it should be concerning.
Similarly, there are also correlations between the tools hackers use, such as when “PowerShell is used in an attack, Cobalt Strike is seen in 58% of cases, PsExec in 49%, Mimikatz in 33%, and GMER in 19%.” This can serve as an early warning system for “impending attack or confirm the presence of an active attack.”
With this abundance of information in mind, all organizations are always a target, and each needs to be aware that a cybersecurity threat could appear at any time. Using Sophos’ research, though, security teams will hopefully be better equipped to tackle threats as they come up in the future. As it goes, it is not a matter of if, but when you are breached.