While traditional cyber attackers may give up their attempts to break into a website or application after a few tries — the cyber equivalent of rattling a lock or pushing on a few windows — active adversaries keep on pushing.
Whether they are motivated by financial gain, nefariously hired to breach a certain target, or perhaps an activist’s cause, active adversaries will keep on trying. They’re skilled. They’re persistent. And they’re more hands-on in their attacks.
Rather than simply rely on automated toolsets to pop into a target, active adversaries dig in and get their hands calloused. They see a potential victim’s website, network, or specific application as a safe to crack — and they know with the right set of tools, ingenuity, and patience they can get in about anywhere. That’s in blunt contrast to traditional cyber attackers who do not adapt their strategies based on the security defenses they encounter, instead relying on the few automated toolsets they know well.
Consider the findings from the Sophos X-Ops Active Adversary Report for Tech Leaders 2023, which identified a number of interesting trends. First, active adversaries are using compromised credentials as their primary point of entry, which accounted for 50% of incidents they studied in the first half of last year. While using credentials as part of an attack, even the primary attack vector, is nothing new, the research did find that is a shift from previous years when vulnerability exploitation was the top method. Sophos X-Ops also found attacks are accelerating, with the amount of time from an attack’s genesis to its detection, a period known as dwell time, fell 20% — from 10 days in 2022 to 8 days during the first half of 2023.
What we’ve learned about active adversaries in 2023:
They target weak authentication: Compromised credentials have become the primary method for attackers, surpassing the exploitation of vulnerabilities for the first time, accounting for 50% of root causes in the first half of 2023. Also, the lack of multi-factor authentication continues to be a significant issue, with 39% of investigated cases in 2023 not having MFA configured.
The speed of attacks accelerate: There has been a continued decline in median dwell time, from 10 days in 2022 to 8 days in the first half of 2023, indicating that attackers are acting faster and that detection capabilities are improving.
Active Directory servers targeted: Attackers are targeting Active Directory servers due to their central role in network identity and policy control. The median time for attackers to reach Active Directory was approximately 16 hours. That’s good and bad news. The bad news is that’s a relatively swift lateral movement. The good news is it’s enough time for internal monitoring systems to identify the behavior, and take mitigative actions.
Remote Desktop Protocol (RDP) targeted: RDP was involved in 95% of attacks, with a significant increase in its use for internal access and lateral movement.
The problem with not patching: Poor patch management practices are toxic to security programs. Unpatched vulnerabilities continue to be exploited. The report highlights cases where patches were available long before attacks occurred.
The popularity of data theft: Data exfiltration was detected in 43.42% of cases, underscoring the importance of better logging maintenance and protection.
It’s not all about ransomware attacks: Ransomware attacks do remain the most prevalent, with non-specific network breaches and data extortion also being significant.
The most active of active adversaries are well-known: The report lists the most active ransomware groups, with LockBit, BlackCat, and Royal among the top.
Tools, LOLBins, TTPs: Netscan overtook Cobalt Strike as the most abused tool, and PowerShell and cmd.exe remained the most frequently observed LOLBins.
The report held other interesting findings, especially around the common timings of attacks. For instance, the report revealed that 61% of attacks are clustered in the middle of the work week, with ransomware attacks showing a noticeable spike on Fridays and nearly half (43%) launched on either Friday or Saturday. In fact, most ransomware payloads (81%) are deployed outside of traditional business hours, with a strong preference for late hours at the end of the week.
The findings can certainly help enterprises better understand the threats they face and the nuances of the current threat landscape. The findings can also be used to inform enterprise cybersecurity strategies. And that’s what we will tackle in our next post: how enterprises can establish an active defense that fends off active adversaries.