Sophos Stopping Active Adversaries WP
Sophos Stopping Active Adversaries WP
Sophos incident responders’ goal is to quickly triage, contain, and neutralize active
threats and eject adversaries to prevent any further damage.
What they do
Active adversaries infiltrate organizations’ systems, evade detection, and
continuously adapt their techniques, using keystroke and AI-based methods
to bypass preventative security controls and execute their attacks. Continuous
adaptation is the key. They launch an attack, see what happens, and respond
accordingly. If they don’t succeed the first time, they try another option and
another option until they achieve their goal.
Prevalence
Despite misconceptions that active adversaries only target larger
organizations, the reality is that they impact organizations of all sizes. 24% of IT
leaders in organizations with 100-250 employees report that they experienced
an attack involving an active adversary in the last year1.
It’s worth noting that, with the occasional exception of very high value political
targets, active adversaries rarely deliberately target a particular organization.
Rather, they look for organizations with gaps in their security defenses and
Countries represented in the dataset
then go in for the kill.
1 The State of Cybersecurity 2023: The Business Impact of Adversaries, Sophos - Survey of 3,000 IT leaders across
14 countries
In 2022, exploited vulnerabilities were the number one root cause of attacks, used
in 37% of cases, followed by compromised credentials, used in 30% of cases. Exploited Vulnerabilities 37% 23%
These findings are reinforced by data from the Sophos State of Ransomware 2023
study, which reported that 36% of ransomware attacks in the previous year started
with exploited vulnerabilities and 29% with compromised credentials. Compromised Credentials 30% 50%
Looking deeper into the 2022 attacks remediated by the Sophos Incident
Response team, over half (55%) of those that started with exploited vulnerabilities
Source: The Active Adversary Report for Business Leaders, 2023, Sophos (n=152); Active Adversary Report for Tech Leaders,
were associated with just two vulnerabilities: ProxyShell and Log4Shell - both of 2023, Sophos (n=80)
Moving into the first half of 2023, the order switched and compromised
credentials was the number one root cause, used in half of the incidents
remediated by the team. Exploited vulnerabilities were used as the entry method
in just under a quarter (23%) of cases.
It is too early to say that adversaries have definitively changed their tactics. It
may be that in the first half of 2023 there weren’t as many easily exploitable
vulnerabilities for adversaries to take advantage of, or that initial access brokers
had a lot of inventory that they were willing to sell off cheaply. However, what is
certain is that compromised credentials are readily available on the dark web,
often obtained through phishing attacks or previous data breaches.
Dwell time is the time an adversary spends in your environment before being Combining this learning with our previous findings around attack timings makes
detected. In successful cyberattacks, adversaries typically remain undetected clear the challenges facing organizations that lack 24/7 security operations
until the point at which they detonate their attack, for example, when they launch coverage. If an adversary starts their ransomware attack at 9pm Friday night but
their ransomware and start encrypting files. As a result, shorter dwell time means you don’t see the suspicious activity and alerts until 9am Monday morning, you
faster overall attack execution. Dwell time also represents your opportunity to have already lost half of your window of opportunity to detect the attacker and
detect and neutralize an active adversary before they can achieve their goal. eject them from your environment.
Coinminers have a very long dwell time, but they are meant to be long
running. Coinminers will happily squat on a server, accruing fractions of a cent Network breach
per month, in perpetuity.
Data extortion. Most, but not all, attacks fell into the “slower” attack dataset. Data extortion
In an extortion attack, the threat actors tended to stay on the network longer
than in cases where data is simply exfiltrated, but no extortion was attempted.
Data exfiltration
It is likely that, because there is no encryption component to these attacks,
the threat actors are able to operate more silently, and therefore more slowly
Web shell
and deliberately.
Data exfiltration is a variant of data extortion (all extortions involve some form
of exfiltration, but not all exfiltrations involve extortion) and also leans slightly Loader
toward longer attacks for similar reasons. (“Data exfiltration” in our dataset
indicates cases where it is confirmed that data left the affected network, but
Coinminer
no further information is available about what the attacker did with that data.)
Dwell time varies by root cause Dwell Time by Root Cause, 2022 -1H23
We saw earlier that the most common root causes of attacks were compromised Compromised
credentials and exploited vulnerabilities. Now let’s look at how dwell time varies credentials
by root cause.
Exploited
In general, attacks that started with compromised credentials moved faster than vulnerability
those that started with an exploited vulnerability. More than half of the attacks
that started with compromised credentials had a dwell time of five days or less, Unkown
compared to a third of the attacks that started with an exploited vulnerability.
Malicious
The notable outlier in this view of the data is supply chain attacks, where document
more than three quarters had a dwell time of less than five days. Supply chain Brute force
compromises are the ready-made meal kits of threats: all the ingredients are attack
provided and ready –to go, and it’s just a matter of making it happen.
Phishing
Adware
Supply chain
compromise
Source: Active Adversary Report for Tech Leaders, 2023, Sophos (n=80)
Combining this finding with the earlier data around attack timing makes clear Source: Active Adversary Playbook 2022, Sophos (n=144); Active Adversary Report for Business Leaders, 2023,
Sophos (n=152); Active Adversary Report for Tech Leaders, 2023, Sophos (n=80)
that AD can easily be compromised during off-hours.
Attackers can also use the AD server to distribute their malware from a trusted
source. Plus, when attackers get to AD, they find that most servers are protected
with only Microsoft Defender, and sometimes are not running protection at all.
Living off the Land (i.e., exploiting legitimate IT tools) Ubiquity of RDP in attacks
Adversaries often exploit legitimate IT tools when carrying out their attacks to As evidenced by the chart below, adversaries love to use RDP. In fact, in the first half
avoid triggering protection technologies.This chart shows the most commonly of 2023, RDP played a role in a staggering 95% of attacks, an increase from 2022,
exploited legitimate IT tools (or Living off the Land Binaries to use the technical when it played a role in a previous all-time high of 88% of attacks.
name) used in the attacks.
Use of RDP in attacks
Top 10 Living off the Land Binaries (LOLBins) observed in the dataset
88% 95%
RANK 5 DAYS OR LESS GREATER THAN 5 DAYS RANK
of attacks of attacks
1 RDP RDP 1
6 net.exe Task Scheduler 6 Source: Active Adversary Report for Business Leaders, 2023, Sophos (n=152);
Active Adversary Report for Tech Leaders, 2023, Sophos (n=80)
7 rundll32.exe rundll32.exe 7
8 ping.exe WMI 8 Many people think of RDP as a way for adversaries to get into organizations. And
that’s true - they do use it for external access. But most often, they use it to advance
9 reg.exe ping.exe 9
their attacks once they are inside.
10 vssadmin.exe whoami.exe 10 In the first half of 2023, RDP was used for internal movement in 93% of incidents and
externally in 18% of incidents. This compares to 86% and 22% respectively in 2022.
We’ve split them between fast attacks (five days or less) and slower attacks As the data makes clear, there were a number of incidents where RDP was used for
(greater than five days). Remote Desktop Protocol (RDP) is the number one both internal and external access. However, it is rarely used for external access only -
most abused IT tool in both fast and slow attack categories, followed closely by both in 2022 and in the first half of 2023, RDP was used solely for external access in
PowerShell. just 2% of cases.
Furthermore, eight tools feature on both sides of the chart and, if we expand the This means that if you only focus on looking for RDP abuse as a means to infiltrate
list to look at the top 20 binaries, 90% appear on both the fast and slow lists. your organization, you’re missing the main adversary use case.
If you see signsof suspicious activities involving these tools, investigate without
delay.
Time is of the essence when responding to an active threat: the time between Now that Microsoft has begun making logging free and available for basic licenses
detecting the initial access event and fully mitigating the threat should be as short (as of September 2023), there’s no reason for your organization to not take full
as possible. advantage of it.
And like many other types of data, logs should be securely backed up so that they
can be used in the event that forensic analysis is required.
Protect everything
Attackers will take advantage of any weak spot they can find to penetrate your
environment and then move around as they escalate their attacks. Make sure your
entire environment is protected – you’re only as strong as your weakest link. Plus,
strong defenses also provide valuable telemetry, which can help to accelerate
threat detection and response.
Alternatively, you can follow X-Ops on X with the handle @SophosXOps. The team
utilizes the same handle on InfoSec Exchange.
Sophos delivers industry leading cybersecurity solutions to businesses of all sizes, protecting them in real time from advanced threats
such as malware, ransomware, and phishing. With proven next-gen capabilities your business data is secured effectively by products
that are powered by artificial intelligence and machine learning.
2023-12-15 (WP-NP)