In order to offer a current view of the threat landscape, Sophos publishes Active Adversary Reports several times a year.
The most recent data, published just weeks ago, covers the first half of calendar year 2023 and is aimed at tech leaders. Tech leaders, as the people responsible for operationalizing security strategy, need the most up-to-date information available in order to determine how best to deploy their team’s time and resources for defense.
Here are the key takeaways from this latest iteration of the report to help bolster your organization’s security posture.
The changing face of initial access techniques
The initial access point is often where adversaries strike first. According to Sophos researchers, “External remote services” topped the list of initial access techniques, followed closely by “Exploit public-facing applications.” Tech leaders need to be aware of these common entry points and prioritize the security of external-facing services and applications.
Valid accounts and compromised credentials
In a majority (70%) of cases, adversaries combined the abuse of valid accounts with external remote services. This highlights the significance of monitoring and securing user accounts, especially those with privileged access. The report further reveals that compromised credentials accounted for 50% of root causes, underscoring the critical need for robust authentication and access controls.
The MFA conundrum
Multi-Factor Authentication (MFA) is a well-known cybersecurity best practice. However, the report reveals that MFA was not configured in 39% of the cases investigated in 2023. Researchers note this is concerning because the cybersecurity industry recognizes MFA as a potent defense against unauthorized access. Tech leaders must prioritize the implementation of MFA to protect their systems effectively.
Reduced dwell time
Dwell time for attackers is down across all types of attacks, shrinking from 15 to 10 days. The dwell time in ransomware attacks is down from 11 to 9 days.
This trend could be good and bad news. Shorter dwell times can signal that criminals are executing on attacks sooner. But it may also mean defenders are doing a better job of detecting nefarious activity.
Patterns in attack timing
The report uncovers intriguing patterns in the timing of cyberattacks. A significant 61% of attacks occurred in the middle of the workweek. Ransomware attacks followed a similar trend, with 62% taking place mid-week. However, an interesting spike in ransomware attacks was observed on Fridays, with nearly half (43%) of such attacks occurring on Fridays or Saturdays. Moreover, most (81%) ransomware payloads were deployed outside of traditional business hours.
RDP’s pervasive role
Remote Desktop Protocol (RDP) continues to be a favored tool for cybercriminals, featuring in an astounding 95% of attacks. The report notes that RDP was predominantly used for internal access and lateral movement (77% of incidents), reflecting a notable increase from 2022. While external RDP use decreased, it remains a concern, with 18% of cases involving external access.
Dominance of ransomware attacks
Ransomware is still a massive problem. The report indicates that ransomware attacks accounted for 69% of all attack types. LockBit maintained its top spot in the first half of 2023, handling 15% of cases, followed closely by BlackCat (13%), Royal (11%), and a three-way tie between Play, Black Basta, and CryTOX (7%). Tech leaders should remain vigilant against the persistent threat of ransomware and take proactive measures to protect their organizations.
Know what to prioritize
As the cyber threat landscape becomes increasingly complex, tech leaders must arm themselves with knowledge and insights to protect their organizations effectively. By staying informed and implementing the necessary security measures, tech leaders can fortify their defenses and mitigate the risks posed by today’s sophisticated adversaries. Learn how Sophos can help guide your efforts at Sophos.com.