Businesses are now taking less time to discover cyber attacks, but in a tight race, criminals are also speeding up their efforts to hack into their victims’ systems, according to cybersecurity firm Sophos.
The average time taken, from the start of the attack to its detection – also known as the median dwell duration – has decreased from 10 to eight days for all attacks and to five days for ransomware attacks, according to a recent analysis of Sophos Incident Response (IR) cases from January to July 2023. This is a drop from 15 to 10 days in 2022.
However, while there are improved defences, attackers, especially experienced and well-resourced ransomware affiliates, continue to speed up their noisy attacks.
Sophos discovered that it took attackers roughly 16 hours on average to access the Active Directory (AD), one of a company’s most crucial assets.
Since AD often controls access to resources and identities throughout an organisation, attackers can utilise AD to quickly elevate their privileges on a system, allowing them to log in and engage in a variety of nefarious actions.
“When an attacker controls AD, they can control the organisation,” said John Shier, field CTO of Sophos. “The impact, escalation, and recovery overhead of an Active Directory attack is why it’s targeted.”
Gaining control of the Active Directory server allows attackers to linger undetected to determine their next move. When they are ready to strike, they can penetrate a victim’s network unimpeded.
“Such an attack damages the foundation of security upon which an organisation’s infrastructure relies. Very often, a successful AD attack means a security team has to start from scratch,” said Shier.
Another finding from Sophos was that the dwell duration for ransomware assaults has decreased.
They made up 69 per cent of the investigated instances in the IR cases analysed, making them the most common type of attack, and their median dwell period was only five days.
The final payload of ransomware assaults was launched in 81 per cent of cases outside of regular business hours, and only 5 per cent of those deployments occurred on a weekday.
As the week progressed, the number of attacks detected increased. Nearly half (43 per cent) of ransomware attacks were detected on either Friday or Saturday.
The growing adoption of technologies and services like extended detection and response (XDR) and Managed Detection and Response (MDR) has improved the ability to detect attacks sooner, said Shier.
“In some ways we’ve been victims of our own success,” he noted.