CYBERSECURITY service business Sophos Computer Securities (SCS) Pte. Ltd. announced that it found that telemetry logs—user’s data like name and location—were missing in nearly 42 percent of the attack cases the firm studied.
In 82 percent of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks, the firm said. It added its report covers incident response (IR) cases that the firm analyzed from January 2022 through the first half of 2023.
In the report, Sophos classifies ransomware attacks with a dwell time of less than or equal to five days as “fast attacks,” which accounted for 38 percent of the cases studied. “Slow” ransomware attacks are those with a “dwell time” greater than five days, which accounted for 62 percent of the cases.
When examining these “fast” and “slow” ransomware attacks at a granular level, there was not much variation in the tools, techniques and living-off-the-land binaries (LOLBins) that attackers deployed, suggesting defenders don’t need to reinvent their defensive strategies as dwell time shrinks. However, defenders do need to be aware that fast attacks and the lack of telemetry can hinder fast response times, leading to more destruction.
SCS issued its report a month after hackers released about 600 Gigabytes of files, representing “millions” of affected users, to the dark web of the Philippine Health Insurance Corp.
“Cybercriminals only innovate when they must and only to the extent that it gets them to their target,” a statement quoted SCS Field CTO John Shier as saying. “Attackers aren’t going to change what’s working, even if they’re moving faster from access to detection.”
Shier noted the firm considers this as “good news for organizations because they don’t have to radically change their defensive strategy as attackers speed up their timelines.”
“The same defenses that detect fast attacks will apply to all attacks, regardless of speed. This includes complete telemetry, robust protections across everything and ubiquitous monitoring,” said Shier. “The key is increasing friction whenever possible—if you make the attackers’ job harder, then you can add valuable time to respond, stretching out each stage of an attack.”
The Sophos Active Adversary Report for Security Practitioners is based on 232 Sophos Incident response (IR) cases across 25 sectors from January 1, 2022, to June 30, 2023. Targeted organizations were located in 34 different countries across six continents. The firm said 83 percent of cases came from organizations with fewer than a thousand employees.
Image credits: AP