A recent analysis by Sophos X-Ops Threat Research found that the dwell time for ransomware attacks is now down to five days.
John Shier, field CTO at Sophos, believes organizations are falling victim to their success in some ways.
"As the adoption of technologies like XDR and services such as MDR grows, so does our ability to detect attacks sooner,” Shier said. “Lowering detection times leads to a faster response, translating to a shorter operating window for attackers. At the same time, criminals have been honing their playbooks, especially the experienced and well-resourced ransomware affiliates, who continue to speed up their attacks in the face of improved defenses."
The indication that enterprises are detecting attacks earlier is excellent news, and the fact that attackers are adjusting their tactics is to be expected. Adjusting tactics is what criminals have done throughout history. Recent indications also show organizations are more willing to pay ransoms, which increases the motivation for these attacks.
Shier noted that shorter ransomware detection times don't mean everyone is more secure — as revealed by the fact that non-ransomware dwell times have stabilized where they have been.
"Attackers are still getting into our networks, and when time isn't pressing, they tend to linger. But all the tools in the world won't save you if you're not watching,” Shier said. “It takes the right tools and continuous, proactive monitoring to ensure that criminals have a worse day than you do. This is where MDR (Managed Detection and Response) can close the gap between attackers and defenders because even when you're not watching, we are."
MDR services can most certainly help organizations improve their detection and response capabilities.
Ransomware attackers are also evolving. There has been a significant increase in ransomware-as-a-service in recent years, which makes it possible for nearly anyone to get involved in this criminal activity. Also, the techniques associated with ransomware attacks are growing more clandestine, such as using DNS tunneling to reduce their chances of being detected.
At its best, MDR unifies security technology and human expertise to perform threat hunting, anomaly monitoring, and incident response. MDR services are delivered remotely and often using a predefined technology stack that commonly covers endpoint, network, logs, and cloud. Organizations are substantially turning to MDR services. According to the research firm Market and Markets, the MDR market is expected to grow from $3.3 billion in 2023 to $9.5 billion by 2028. That's a growth rate of just over 23% annually.
Of course, simply handing things over isn't enough to make organizations fully secure — especially when organizations don't have the resources to build and manage these capabilities in-house. MDR allows these organizations to quickly have ransomware attacks identified in progress and, hopefully, shut them down.
To get the most out of the MDM relationship, however, organizations do have to carry their part in defense. This includes having someone responsible for managing the relationship with the MDM provider and acting as a coordinator between the provider and their own security and technology teams.
Depending on the scenario, the organization must also have a plan for how it will work with the MDM when incidents occur. Is it a ransomware attack? A data breach? Or perhaps other types of issues, such as a denial-of-service attack. Regardless, organizations need plans for different scenarios and exercise these plans so that when something does occur, they are prepared.
In 81% of ransomware attacks, the final payload was executed after regular working hours, and the number of attacks detected rose throughout the week. Consider that 43% of all attacks detected occurred on a Friday or Saturday.
The ransomware research comes from the Sophos Active Adversary Report for Business Leaders, based on international Sophos Incident Response investigations across 25 sectors through June 2023. The originations studied also hailed from 33 nations, with 88% of incidents evaluated from organizations with fewer than 1,000 employees.
