Active adversaries are now a major threat to organizations of all sizes. These highly skilled cybercriminals continue to develop and evolve their techniques in response to superior defenses, executing attacks at scale and employing sophisticated techniques specifically designed to avoid triggering preventative security solutions.
We are excited to announce the addition of new capabilities to Sophos Firewall, Sophos XDR, and Sophos NDR solutions to further enable organizations to defend against these active adversaries.
What are active adversaries and how do they operate?
Active adversaries are highly skilled cybercriminals, often equipped with sophisticated software and networking skills, who gain entry into an organization’s systems, evade detection and continuously adapt their techniques, using hands-on keyboard and AI-assisted methods to circumvent preventative security controls and execute their attacks.
Organizations need adaptive security controls designed to detect and respond to the approaches commonly used by active adversaries:
Attacks that end in a different place than they started
Active adversaries execute attacks that cross multiple domains across the victim’s environment. The full scope of these attacks cannot be detected by a single point product. Organizations need visibility across their entire ecosystems.
Living off the land attacks
Attacks that use legitimate tools in malicious ways
Preventative security tools are unable to block the use of legitimate IT tools without the risk of causing significant operational disruption. Attackers take advantage of this by using legitimate IT tools like RDP and PowerShell to blend into the background.
Attacks that leverage a weakness, flaw, or error in software
Attackers exploit zero-day and unpatched vulnerabilities to execute attacks: 65% of ransomware attacks start with an attacker exploiting an unknown vulnerability or logging in using legitimate credentials.
Attacks that start with an adversary logging in instead of breaking in
Active adversaries use compromised legitimate user credentials to log in and execute their attacks. Preventative security tools are unable to block or detect until the “user” demonstrates suspicious or malicious behavior.
Our new Active Adversary Report for Security Practitioners highlights key changes in adversary behavior over the last year, including:
- Attackers are speeding up. Dwell time in ransomware is rapidly decreasing, down from nine days in 2022 to five days in the first half of 2023.
- Adversaries frequently abuse legitimate IT tools. The LOLBins (Living-off-the-Land Binaries) and techniques being used by active adversaries do not vary substantially between fast (< five days dwell time) and slow (> five days dwell time) attacks.
- Active adversaries will innovate when they must, and only to the extent that it gets them to their target.
The report highlights the need for organizations to understand how active adversaries behave and to have visibility across their security ecosystems to detect quickly and respond even faster.
We’re adding new capabilities to the Sophos platform across Sophos XDR, Sophos Firewall, and Sophos NDR that give organizations even greater power to defend against active adversaries:
Sophos Firewall – now with Active Threat Response
The new Active Threat Response feature in Sophos Firewall v20 provides instant and automated response to active adversaries. Sophos XDR and MDR analysts can push threat intel to firewalls directly from Sophos Central, enabling the firewalls to coordinate defenses immediately without the need for manual intervention or new firewall rules.
Sophos NDR – now available for XDR
Available November 20, 2023
Sophos Network Detection and Response (NDR) detects active adversaries moving across an organization’s network between devices. Previously available only as an add-on to Sophos MDR, Sophos NDR is now available as an add-on to Sophos XDR, for organizations who manage their own detection and response activities.
Sophos XDR – now with expanded third-party compatibility and optimized UX
Available November 20, 2023
We’re significantly expanding the range of third-party tools and products that customers can integrate with Sophos XDR, across endpoint, firewall, cloud, identity, network, email, and productivity categories. Sophos XDR consolidates security data and provides a single console for customers to work from, with optimized workflows that reduce their investigation workloads.
Point products vs. connected products and services that work together
Attackers continuously adapt their techniques, resulting in the introduction of new point products to defend against these new approaches. Disparate tools, however, typically do not communicate well together. Sophos provides a unified platform that incorporates a broad portfolio of cyber security products and services that has been engineered to work together seamlessly. Plus, compatible with third-party technologies, Sophos’ connected ecosystem provides automated actions and correlated data, allowing organizations to detect, investigate, and respond to active adversaries faster, across all key attack surfaces.
Elevate your defenses against active adversaries
To learn more and explore how Sophos solutions can help your organization better defend against active adversaries, speak with a Sophos adviser or your Sophos partner today.