After sneaking into a computer network, lurking around for some time, and stealing data before locking it up, cybercriminals are found to be wiping out their activity footprint. According to a report by cybersecurity solutions company Sophos, in 82 per cent of the ransomware attacks, cybercriminals disabled or wiped out the telemetry to hide their tracks. (Telemetry is collection and transmission of data remotely from one source to another for monitoring and analysis.)
“We found that telemetry logs were missing in nearly 42 per cent of the attack cases that we studied. In 82 per cent of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks,” the Active Adversary Report for Security Practitioners pointed out.
Also read: Be conscious of data privacy and cybersecurity issues, State Bank of India MD Chaudhary tells MFIs
The report covers Incident Response (IR) cases that Sophos analysed from January 2022 through the first half of 2023.
Gaps in telemetry decrease much-needed visibility into organisations’ networks and systems, especially since attacker dwell time continues to decline, shortening the time defenders have to effectively respond to an incident. The dwell time is the time from initial access to a computer network by a hacker to his detection.
“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain, an attacker makes it, the bigger the headache for responders,” John Shier, Field CTO, Sophos, said.
“Missing telemetry only adds time to remediations that most organizations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organisations don’t have the data they need,” he said.
In the report, Sophos classifies ransomware attacks with a dwell time of less than or equal to five days as “fast attacks,” which accounted for 38 per cent of the cases studied. ‘Slow ransomware attacks’ are those with a dwell time greater than five days, which accounted for 62 per centt of the cases.
“Cybercriminals only innovate when they must, and only to the extent that it gets them to their target. Attackers aren’t going to change what’s working, even if they’re moving faster from access to detection. This is good news for organisations because they don’t have to radically change their defensive strategy as attackers speed up their timelines,” he said.
Also read: Job listings for cybersecurity talent drops: report
“The same defenses that detect fast attacks will apply to all attacks, regardless of speed. This includes complete telemetry, robust protections across everything, and ubiquitous monitoring,” he said.
He said the key was increasing friction whenever possible. “If you make the attackers’ job harder, then you can add valuable time to respond, stretching out each stage of an attack,” he said. The Sophos Active Adversary Report for Security Practitioners is based on 232 Sophos Incident Response (IR) cases across 25 sectors from Jan. 1, 2022, to June 30, 2023. Targeted organizations were located in 34 countries. Eighty-three percent of cases came from organizations with fewer than 1,000 employees.
