Active Adversary Playbook 2021

Issue 3 2021 Cyber Security

Sophos has released its Active Adversary Playbook 2021, detailing cyber-attacker behaviours and the tools, techniques and procedures (TTP) that Sophos’ frontline threat hunters and incident responders saw in the wild in 2020. The TTP detection data also covers early 2021.

The findings show that the median attacker dwell time before detection was 11 days – or 264 hours – with the longest undetected intrusion lasting 15 months. Ransomware featured in 81% of incidents and 69% of attacks involved the use of the remote desktop protocol (RDP) for lateral movement inside the network.

The playbook is based on Sophos telemetry as well as 81 incident investigations and insight from the Sophos Managed Threat Response (MTR) team of threat hunters and analysts and the Sophos Rapid Response team of incident responders. The aim is to help security teams understand what adversaries do during attacks and how to spot and defend against malicious activity on their network.

Key findings in the playbook

- The median attacker dwell time before detection was 11 days. To put this in context, 11 days potentially provide attackers with 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration and more. Considering that some of these activities can take just minutes or a few hours to implement – often taking place at night or outside standard working hours – 11 days offers attackers plenty of time to cause damage in an organisation’s network. It is also worth noting that ransomware attacks tend to have a shorter dwell time than ‘stealth’ attacks, because they are all about destruction.

- 90% of attacks seen involved the use of the Remote Desktop Protocol (RDP) – and in 69% of all cases, attackers used RDP for internal lateral movement. Security measures for RDP, such as VPNs and multi-factor authentication tend to focus on protecting external access, however these don’t work if the attacker is already inside the network. The use of RDP for internal lateral movement is increasingly common in active, hands-on-keyboard attacks such as those involving ransomware.

- Ransomware was involved in 81% of the attacks Sophos investigated. The release of ransomware is often the point at which an attack becomes visible to an IT security team. It is, therefore, not surprising that the vast majority of the incidents Sophos responded to involved ransomware. Other attack types Sophos investigated included exfiltration only, cryptominers, banking trojans, wipers, droppers, pen test/attack tools and more.

“The threat landscape is becoming more crowded and complex, with attacks launched by adversaries with a wide range of skills and resources, from script kiddies to nation-state backed threat groups. This can make life challenging for defenders,” said John Shier, senior security advisor at Sophos. “Over the last year, our incident responders helped to neutralise attacks launched by more than 37 attack groups, using more than 400 different tools between them. Many of these tools are also used by IT administrators and security professionals for their everyday tasks and spotting the difference between benign and malicious activity isn’t always easy.

Find out more at https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Dahua’s cybersecurity approach
CCTV Handbook 2021, Dahua Technology South Africa , Cyber Security
The world is getting smarter and everything is going to have an online ID and then connect into a vast network of IoT devices, like a laptop computer, a mobile phone, a connected thermostat and more.

Read more...
Dahua Technology’s cybersecurity approach
Issue 3 2021, Dahua Technology South Africa , CCTV, Surveillance & Remote Monitoring, Cyber Security
With a mindset that emphasises cybersecurity and all the resources it can allocate to establish, carry out and strengthen its cybersecurity approach, Dahua plans to stay positive, open, responsible and constantly improving its cybersecurity.

Read more...
SASE-enriched threat protection
Issue 3 2021 , Cyber Security
MVISION XDR automates security investigation and response processes with actionable threat insights harnessed from deeply integrated cloud data sources, with the ability to proactively stop targeted attacks.

Read more...
Passwords are 60, time for them to go
Issue 3 2021 , Access Control & Identity Management, Cyber Security
It has been 60 years since passwords were first used at MIT and if the number of breaches in the news are anything to go by, we are no more adept at managing our passwords than we were in 1961.

Read more...
Top 10 security misperceptions
Issue 3 2021 , Cyber Security, Security Services & Risk Management
The Sophos Rapid Response team has compiled a list of the most commonly held security misperceptions they’ve encountered in the last 12 months while neutralising and investigating cyberattacks in a wide range of organisations.

Read more...
Surveillance business models are changing
CCTV Handbook 2021, Technews Publishing, Eagle Eye Networks, Bosch Building Technologies, Dahua Technology South Africa, Genetec , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions, IT infrastructure
The CCTV Handbook round table highlighted the changes that are happening in the surveillance and security world in general, from cloud to costing models and of course, cybersecurity.

Read more...
Building walls is not enough
Issue 3 2021, Vox , Cyber Security
Cybersecurity: businesses are still building walls to defend against nuclear attacks.

Read more...
VMware releases 2021 Global Security Insights Report
Issue 3 2021 , Cyber Security
VMware releases 2021 Global Security Insights Report detailing the surge in cyberattacks targeting the ‘anywhere’ workforce, highlighting opportunity for security leaders to rethink and transform cybersecurity strategies.

Read more...
Awareness training is key to e-mail security
Issue 3 2021 , Cyber Security
Awareness training should be actively deployed to complement organisations’ efforts to secure their e-mail systems, because hackers are increasingly targeting people as security technologies become more effective.

Read more...
Mobile authentication is key to negating cybercrime in East Africa
Issue 3 2021 , Cyber Security
The rapid pace of digital transformation in East Africa has had a significant impact on not only how people live their lives, but also on how communication and commerce are conducted.

Read more...