Sophos’ latest report highlights a concerning trend in cyber-criminal activities, revealing that in 82% of incidents, attackers disable or erase logs, focusing particularly on telemetry data. The report, based on 232 Sophos incident response cases across 25 sectors from January 1, 2022, to June 30, 2023, underscores the rapid execution of ransomware assaults, often completed within hours.
John Shier, Sophos’ Field CTO, emphasizes the critical role of time in responding to active threats, noting that missing telemetry data prolongs remediation efforts. The analysis categorizes ransomware attacks based on dwell time, with 38% classified as “fast attacks” lasting five days or less and 62% as “slow attacks” with dwell times exceeding five days.
Sophos’ examination of both fast and slow ransomware attacks reveals minimal variations in the tools, techniques, and deployment of living-off-the-land binaries (LOLBins) by cyber-criminals.
While defenders may not need to overhaul defensive strategies as dwell time decreases, the report warns that swift attacks and a lack of telemetry can hinder rapid response times, potentially escalating damage. Shier asserts that cyber-criminals innovate within the confines of necessity, and defenders should focus on maintaining current defensive strategies, including comprehensive telemetry, robust protections, and widespread monitoring. The key recommendation is to increase friction in the attackers’ path, adding valuable response time and stretching out each stage of an attack.