Cyber attackers are spending longer time inside business systems after hacking them. According to new report from cyber security firm, Sophos, the threat actors spent a median of 15 days inside victim networks last year, an increase of over 36% from the previous year.
This concept is called Dwell time – that is the length of time between assumed initial intrusion and detection of an intrusion. The usual assumption is that the shorter the dwell time, the less damage can be done, and hence its importance.
Sophos claimed the mass exploitation of the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server by the emergence of initial access brokers (IABs) seems to have driven a substantial increase in median dwell times.
According to the cyber security firm, Dwell time was longer for smaller organisations, said 51 days in SMEs with up to 250 employees versus 20 days in organisations with 3,000 to 5,000 employees.
“Attackers consider larger organisations to be more valuable, so they are more motivated to get in, get what they want and get out. Smaller organisations have less perceived ‘value,’ so attackers can afford to lurk around the network in the background for a longer period,” said John Shier, senior security advisor at Sophos.
“It’s also possible these attackers were less experienced and needed more time to figure out what to do once they were inside the network. At the same time, smaller organisations typically have less visibility along the attack chain to detect and eject attackers, prolonging their presence,” he said.
In many cases, multiple adversaries, including ransomware actors, IABs, crypto-miners and others, targeted the same organisations simultaneously, said Shier, adding that “If it’s crowded within a network, attackers will want to move fast to beat out their competition.”
The data somewhat differs from another research done by cybersecurity firm Mandiant, that was released in April. The report revealed dwell time decreased globally by nearly 13% over the same period, to 21 days. However, the research also noted multifaceted extortion and ransomware attackers are constantly using new techniques and procedures in their attacks, including the targeting of virtualisation.
Advanced detection and response appear to be lacking in many organisations. Although Sophos saw a decline in the exploitation of remote desktop protocol (RDP) for initial access, from 32% in 2020 to 13% last year, its use in lateral movement increased from 69% to 82% over the period.
Other commonly detected tools and techniques were: PowerShell and malicious non-PowerShell scripts, combined in 64% of cases; PowerShell and Cobalt Strike (56%); and PowerShell and PsExec (51%). said the study.
Sophos said that detecting the presence of such correlations could help firms spot the early warning signs of a breach.