Active Adversary Playbook 2021

Issue 3 2021 Cyber Security

Sophos has released its Active Adversary Playbook 2021, detailing cyber-attacker behaviours and the tools, techniques and procedures (TTP) that Sophos’ frontline threat hunters and incident responders saw in the wild in 2020. The TTP detection data also covers early 2021.

The findings show that the median attacker dwell time before detection was 11 days – or 264 hours – with the longest undetected intrusion lasting 15 months. Ransomware featured in 81% of incidents and 69% of attacks involved the use of the remote desktop protocol (RDP) for lateral movement inside the network.

The playbook is based on Sophos telemetry as well as 81 incident investigations and insight from the Sophos Managed Threat Response (MTR) team of threat hunters and analysts and the Sophos Rapid Response team of incident responders. The aim is to help security teams understand what adversaries do during attacks and how to spot and defend against malicious activity on their network.

Key findings in the playbook

- The median attacker dwell time before detection was 11 days. To put this in context, 11 days potentially provide attackers with 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration and more. Considering that some of these activities can take just minutes or a few hours to implement – often taking place at night or outside standard working hours – 11 days offers attackers plenty of time to cause damage in an organisation’s network. It is also worth noting that ransomware attacks tend to have a shorter dwell time than ‘stealth’ attacks, because they are all about destruction.

- 90% of attacks seen involved the use of the Remote Desktop Protocol (RDP) – and in 69% of all cases, attackers used RDP for internal lateral movement. Security measures for RDP, such as VPNs and multi-factor authentication tend to focus on protecting external access, however these don’t work if the attacker is already inside the network. The use of RDP for internal lateral movement is increasingly common in active, hands-on-keyboard attacks such as those involving ransomware.

- Ransomware was involved in 81% of the attacks Sophos investigated. The release of ransomware is often the point at which an attack becomes visible to an IT security team. It is, therefore, not surprising that the vast majority of the incidents Sophos responded to involved ransomware. Other attack types Sophos investigated included exfiltration only, cryptominers, banking trojans, wipers, droppers, pen test/attack tools and more.

“The threat landscape is becoming more crowded and complex, with attacks launched by adversaries with a wide range of skills and resources, from script kiddies to nation-state backed threat groups. This can make life challenging for defenders,” said John Shier, senior security advisor at Sophos. “Over the last year, our incident responders helped to neutralise attacks launched by more than 37 attack groups, using more than 400 different tools between them. Many of these tools are also used by IT administrators and security professionals for their everyday tasks and spotting the difference between benign and malicious activity isn’t always easy.

Find out more at https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Protecting business from ransomware at the edge
Issue 4 2021 , Cyber Security
It might not always be possible to prevent ransomware from infecting remote networks, however, a robust backup and disaster recovery strategy can get the business back on track if systems are locked down.

Read more...
USBs threats are back
Issue 4 2021 , Cyber Security
Kaspersky has uncovered a rare, wide-scale advanced persistent threat (APT) campaign; initial infection occurs via spear-phishing emails containing a malicious Word document and can then spread to other hosts through removable USB drives.

Read more...
Incedo consolidates its cybersecurity defence
Issue 4 2021 , Cyber Security
Check Point Software´s end-to-end solution safeguards Incedo and its customers from a global spike in cyberattacks, while reducing costs and increasing productivity.

Read more...
Top 10 security misperceptions
Issue 4 2021 , Cyber Security, Security Services & Risk Management
The Sophos Rapid Response team has compiled a list of the most commonly held security misperceptions they’ve encountered in the last 12 months while neutralising and investigating cyberattacks in a wide range of organisations.

Read more...
Top cybersecurity considerations for SMEs in 2021
Issue 3 2021 , Cyber Security, News
Cisco has published its 2021 SMB Security Outcomes Study, highlighting what SMB leaders are doing to thrive in today's ever-evolving threat landscape, as well as offering actionable insights on where they should focus.

Read more...
Local cyber is global
Issue 4 2021 , Cyber Security
Understanding the risks and how cybercriminals implement their attacks allows Performanta to prepare customers for a proactive security posture against these threats.

Read more...
Cybersecurity in the physical security world
Issue 4 2021, Technews Publishing, Milestone Systems, Axis Communications SA, AVeS Cyber Security, Vox , Editor's Choice, Cyber Security, Integrated Solutions, IT infrastructure
Hi-Tech Security Solutions, in partnership with Milestone Systems, hosted a round table discussion to find out about the trends and realities and the importance of cybersecurity in the physical security and IoT world.

Read more...
Design for the users, not against them
Issue 4 2021 , Editor's Choice, Cyber Security, IT infrastructure
Security is an evolving process, a liquid and malleable evolution that engages with user, technology and system to ensure absolute security coherence, says Henk Olivier, MD of Ozone Information Technology Distribution.

Read more...
Automation and AI in security
Issue 4 2021 , Editor's Choice, Cyber Security, Commercial (Industry)
It’s important for businesses to have an internal strategy for automation and AI as these can relate to both cybersecurity and other parts of the business and provide a benchmark for evaluating the security vendor.

Read more...
Secure-by-design and secure-by-default
Issue 4 2021, Regal Distributors SA , Cyber Security
“How can you make sure your video device manufacturer lives up to all their cybersecurity promises?” asks Fred Streefland, director of cybersecurity at Hikvision EMEA.

Read more...