Cybercriminals Disabled Or Wiped Out Telemetry Logs In 82% Of Attacks: Sophos

38% of fast ransomware attacks occurred within five days of initial access.

<div class="paragraphs"><p>(Source: Freepik)</p></div>
(Source: Freepik)

Cybersecurity company Sophos has released its Active Adversary Report for Security Practitioners, which found that telemetry logs were missing in nearly 42% of attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks.

The report was based on 232 Sophos incident response cases, across 25 sectors, with targeted organisations located in 34 countries across six continents.

Gaps in telemetry decrease visibility into organisations’ networks and systems, especially since attacker dwell time, which is the time from initial access to detection, continues to decline, the report showed. This consequently shortens the time cyber defenders have to effectively respond to an incident.

“The time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain an attacker makes it, the bigger the headache for responders,” said John Shier, field chief technology officer, Sophos.

“Missing telemetry only adds time to remediations that most organisations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organisations don’t have the data they need,” Shier said.

Dwell Time Doesn’t Affect Defensive Strategies

In the report, Sophos classified ransomware attacks with a dwell time of less than, or equal to five days as “fast attacks,” which accounted for 38% of the cases studied. “Slow” ransomware attacks are those with a dwell time greater than five days, which accounted for 62% of the cases.

When examining “fast” and “slow” ransomware attacks, the report didn’t find much variation in the tools, techniques and living-off-the-land binaries that attackers deployed. This suggests that defenders don’t need to reinvent their defensive strategies as dwell time shrinks. However, defenders need to be aware that fast attacks and lack of telemetry can hinder fast response times, leading to more destruction.

“The same defences that detect fast attacks will apply to all attacks, regardless of speed. This includes complete telemetry, robust protections across everything and ubiquitous monitoring. If you make the attackers’ job harder, then you can add valuable time to respond, stretching out each stage of an attack,” said Shier.

Steep Decline In Ransomware Dwell Time

The report noted a 44% year-on-year and 72% all-time drop in dwell time for ransomware attacks. The dwell time of ransomware attacks decreased to a median of five days. This indicated that not only do ransomware attackers know that detection capabilities have improved, necessitating quicker attacks, but many are well-practiced.

Ransomware operators and affiliates were adopting the well-developed playbooks of notorious cybercrime groups, the report suggested. While ransomware has been made proficient through practice, many defensive strategies haven’t kept pace.

Increase Friction Wherever Possible

To turn attackers’ own behaviour against them, cyber defenders must increase friction wherever possible, the report noted. If systems are well maintained, attackers have to do more to subvert them, which takes time and increases the detection window.

Robust layered defences, including ubiquitous, sturdy protections and monitoring, provide friction, which increases the skill level the attacker needs to crack defences, and many may move on to easier targets.

“In the case of a ransomware attack, if you have more friction, then you can delay the time until exfiltration; exfiltration often occurs just before detection and is often the costliest part of the attack,” said Shier.

The report also suggested that organisations must protect all assets, which not only provides a chance at prevention, but also comes with telemetry. Defenders must be ready to investigate incidents, and have response plans in place for the types of attacks most likely to affect their enterprise.