Cyberattacks are becoming increasingly complex and frequent, with businesses struggling to keep up. Cybercriminals are wasting no time in adapting their cybercrime tactics. Amid technological advancement, organisations are increasingly vulnerable to a whole new plethora of complex threats. They will need to get cyber-savvy to understand, detect and prevent these new approaches by administering best practices to secure their IT infrastructure.
A new report by the UK-based security software and hardware company, Sophos, which analysed 232 major cyber incidents remediated by the Sophos X-Ops incident responders in 2022-23, identifies the up-to-date key risks in cybersecurity that CISOs should monitor. The report highlights changes in initial entry point and internal activity as well as quicker dwell time among the advances in tactics that hackers are adopting to infiltrate organisation networks. The report was based on emergency incidents across 35 nations.
Sophos has identified that active adversaries, or highly skilled cybercriminals, are increasing their sophisticated approaches to infiltrate organisation systems, evade detection and change their techniques. If a tactic fails, they are readily adapted for the next. Being aware of the new cyber threats will help CISOs to re-strategise amid an increasingly complex threat landscape.
The initial entry point is changing
Sophos research found that 36% of ransomware attacks in the previous year started with exploited vulnerabilities, unpatched tools or technologies that attackers can exploit to gain unauthorised access to a device or system. In 2022, exploited vulnerabilities were the top root cause of cyber-attacks and were used in 37% of cases. Compromised credentials were the second top cause and were found to be used in 30% of cases.
Compromised credentials are made readily available via the dark web and are frequently obtained by historic data breaches and phishing attacks. Sophos’ 2024 Threat Report: Cybercrime on Main Street, highlighted that over 90% of attacks reported by its customers involve some form of data or credential theft via ransomware attacks, data extortion, unauthorised remote access or simply data theft. In the past year alone, Sophos came across new social engineering tricks and techniques to evade conventional email controls, for example, highlighting the increased sophistication of hackers.
The case for 24/7 threat detection
Changes in hacker tactics have emphasised the need for organisations to implement cybersecurity services that augment their teams and protect their business out of hours. A lack of multi-factor authentication to protect critical system servers such as databases, shared resources containing sensitive information and web services has provided a further opportunity for adversaries to take advantage of compromised credentials. Over one-third (39%) of incidents remediated in H1 2023 by Sophos incident responders found that victims had no MFA processes implemented, making potential breaches significantly damaging as hackers can access data at a colossal scale, gaining access to entire databases and resources.
Incident responders also noticed adversaries attack at times activity is less likely to be detected, with 43% of ransomware attacks initiated on Fridays or Saturdays in the victim’s time zone, giving adversaries time to carry out attacks over weekends when IT teams are far less likely to monitor threats.
Furthermore, Sophos research found that nine out of ten attacks (91%) began outside of typical working hours, demonstrating that adversaries deliberately work at night. Businesses that don’t have around-the-clock security monitoring should increase defences to mitigate risk during out-of-hours periods.
Habits in internal activity are shifting
The past two and a half years have seen adversaries pick up the pace of activities once they have successfully infiltrated a network. This has ironically developed in light of stronger defences, where hackers have had to speed up attacks to successfully infiltrate networks before there is a chance for them to be detected. This dwell time – the period in which adversaries spend in an enterprise environment – has been quickened by hackers as they become increasingly savvy in response to strengthened enterprise security efforts. The shortening dwell times make it increasingly difficult for enterprises to respond to attacks, as damage has mostly been done to networks by the time infiltration has been detected.
Dwell times can also vary depending on the type of attack carried out. Coin-miners are intended to be longer running and therefore have a very long dwell time. In data extortion, most attacks fell into the slower attack dataset, according to Sophos research. In these attacks, threat actors would tend to stay on networks longer than in cases where data is simply exfiltrated. This is likely down to no encryption component in these attacks, allowing hackers to operate more covertly and therefore slowly. Data infiltration, a variant of data extortion, tends to have a longer dwell time for similar reasons. Attacks via compromised credentials generally happened more quickly than those from exploited vulnerabilities.
Infiltrating the Active Directory servers
Once adversaries get inside an organisation’s network, they attempt to move laterally to Active Directory (AD) servers as soon as they can, according to findings from the incident analysis. An AD server is typically the most valuable and powerful asset within a network as it is capable of controlling identity and policies across an organisation. This gives hackers the power to access and exploit highly privileged accounts, disable existing accounts or create new accounts altogether. It also grants adversaries access to be able to distribute malware from a trusted source, making it more insidious to detect the true source.
Incident responders have also found that in almost half of the attacks they remediated, adversaries were able to disable secure cybersecurity protection. This figure rose from 24% of cases in 2021 to 43% of cases in H1 2023.
Exploiting tools and protection
Exploiting legitimate IT tools has also seen a rise in prevalence. This manipulation helps to avoid security protection technologies being triggered. Remote Desktop Protocol (RDP), a secure, interoperable protocol that creates secure connections between clients, servers and virtual machines, is the number one most abused IT tool in both fast and slow attack categories. In the first half of 2023, RDP played a part in a staggering 95% of attacks, a 7% increase from 2022, when its role was at a previous all-time high of 88% of attacks.
RDP is followed closely by PowerShell, a cross-platform task automation solution. While many believe RDP is frequently used to gain access to a network, it is more prominently used to advance attacks once they have already infiltrated. This suggests that enterprises that only monitor RDP abuse as an entry point are overlooking the primary use case for adversaries.
Another favoured technique adversaries use is to cover their tracks by simply removing evidence of any suspicious activity. In 82% of cases where telemetry logs were missing, according to Sophos’ incident responders, cybercriminals had disabled or deleted them.
Being aware of the shift in tactics adversaries are using to carry out more sophisticated and insidious cyberattacks will help CISOs update their security strategies in alignment with technological advances, bolstering their defences. By doing so, they can be better equipped to avoid financial losses, data breaches and downtime, ensuring that their businesses will be more resilient and protected against threats in a constantly evolving cyber landscape.
To learn more about Sophos visit their website.