Cyber attackers are spending more time inside business systems after hacking them. According to a new report from cybersecurity firm, Sophos, threat actors spent an average of 15 days inside victim networks last year, up 36% from the previous year.
This concept is called ‘residence time’ – the period between the estimated initial intrusion and the intrusion detection. The general belief is that the shorter the stay time, the lesser the damage and hence the importance.
Sophos claimed that the large-scale exploitation of ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server since the emergence of Early Access Brokers (IABs) significantly increased the average live time.
According to the cyber security firm, the stay time was longer for smaller organizations – 51 days in SMEs with 250 employees to 20 days in organizations with 3,000 to 5,000 employees.
“Attackers tend to overestimate larger organizations, so they are more motivated to get in, get what they want, and get out. Smaller organizations are undervalued,” said John Shearer, senior security advisor at Sophos. so attackers can run the risk of lurking around the network in the background for long periods of time.”
“It’s also possible that these attackers were less experienced and needed more time to figure out what to do once they were inside the network. At the same time, smaller organizations usually have less experience in detecting and evading attackers.” There is less visibility along the range of attack to take out, prolonging their presence,” he said.
In many cases, multiple adversaries, including ransomware actors, IABs, crypto-miners and others, simultaneously targeted the same organization, Shire said, adding that “if it is crowded within a network, attackers are increasingly able to defeat their competition.” Would like to move on.”
The data is somewhat different from another research conducted by cyber security firm Mandient, which was released in April. The report showed that the worldwide living time decreased by about 13% to 21 days in the same period. However, the research also noted that multifaceted extortion and ransomware attackers are continually using new techniques and procedures in their attacks, including those targeting virtualization.
There appears to be a lack of advanced detection and response in many organizations. Although Sophos saw a decline in the exploitation of Remote Desktop Protocol (RDP) for early access, from 32% in 2020 to 13% last year, its use in lateral movement increased from 69% to 82% over the period.
Other tools and techniques commonly found were: PowerShell and malicious non-PowerShell scripts, combined in 64% of cases; PowerShell and Cobalt Strike (56%); and PowerShell and PsExec (51%). study said.
Sophos said detecting the presence of such correlations could give firms early warning signs of breaches.