Sophos released its Active Adversary Report for Security Practitioners, which found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of attacks, cybercriminals disabled or wiped out the telemetry to hide their tracks.
Time is critical
“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain, an attacker makes it, the bigger the headache for responders.
Missing telemetry only adds time to remediations that most organisations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organisations don’t have the data they need,” said John Shier, field CTO at Sophos.
Slow and fast attacks
In the report that covers Incident Response (IR) cases analysed from January 2022 through the first half of 2023, Sophos finds that “fast attacks” accounted for 38% of the cases studied.
These are ransomware attacks with a dwell time of less than or equal to five days. “Slow” ransomware attacks, with more than five days of dwell time, account for 62% of the cases.
The report revealed that organisations will not need a reinvention of their defensive strategies as dwell time shrinks because at a granular level, “fast” and “slow” ransomware attacks do not have many differences in the tools, techniques, and living-off-the-land binaries (LOLBins) in their deployment.
However, fast attacks can be more destructive because they require a more immediate response, especially with the lack of telemetry.
