On our sister site, Sophos NewsWe have published something Interesting and informative insights Among the cyber criminals …
… Answering really real questions, “How did they do it?”
Theoretically, rogues could (and could) use thousands of different attack tactics in any combination of their choice.
In real life, however, good risk management says that it is wise to focus on the biggest issues first, even if they are not the most glamorous or exciting cybersecurity issues.
So in real life, What really works for cybercrooks When did they start attacking?
Just as important, what kind of thing do they do once they’re broken?
How long do they stick around your network once they create a beechhead?
How important is it to find the underlying cause of the attack and treat it, rather than just dealing with the obvious symptoms?
Active Adversary Playbook
Sophos expert John Shearer has investigated 144 real-life cyber-attack reports Sophos Rapid Response 2021 time team.
What he got may not surprise you, but nonetheless it is vital information, because it really happened, not just what might have happened.
Notably:
- Unpacked weakness was the entry point About 50% for attackers.
- The attackers have been detained for more than a month On average when ransomware was not their primary target.
- The attackers were reported to have stolen information In about 40% of cases. (Of course, not all data theft can be proven, where there are no blank holes where your data was previously copied, so the actual number may be much higher.)
- RDP was misused to circumnavigate the network More than 80% of attackers enter once.
Surprisingly, if perhaps surprisingly, the smaller the organization, the more time it takes to get rid of the rogues that are usually on the network before anyone notices and decides.
With 250 employees and the business below, crooks are stuck around (in jargon, this is surprisingly known by the old automated metaphor Time to stay) For More than seven weeks on average.
This compares with an average stay of just three weeks for companies with more than 3,000 employees.
As you can imagine, however, ransomware criminals usually hide for a much shorter period of time (less than two weeks instead of just one month), not least because ransomware attacks are inherently self-limiting.
After all, once ransomware crooks scramble all your data, they hide and go straight to their in-your-face blackmail stage.
Who makes ransomware attacks so destructive?
Importantly, there is a whole cycle of cybercrime that is not directly confronted by ransomware gangs.
These “non-ransomware” crooks include a significant group known in the trade. IABsOr Primary access broker.
IABs not only earn their illicit income from extortion of your business after violently visible attacks, but also help and persuade other criminals to do so.
In fact, these IAB criminals can do much more harm to your business in the long run than ransomware attackers.
This is because their general goal is to learn about you (and your employees, and your business and your suppliers and customers) as much as they want, as much time as they want.
They then sell that data to other cyber criminals to make their illegal income.
In other words, if you are wondering how ransomware crooks are often able to access so quickly, networks can be so thoroughly mapped out, attacked so decisively and such dramatic blackmail can be claimed.
This could be great because they bought “Active Adversary Playbook” for their own build-to-use from previous crooks who were already quietly but widely circulating through your network.
RDP is still considered harmful
The good news is RDP (Microsoft’s) Remote Desktop Protocol) Nowadays the average company is much better protected at the network end, less than 15% of attackers use RDP as their starting point. (A year ago, it was over 30%.)
But the bad news is that many companies are not yet embracing the idea Zero trust Or Need to know.
Many internal networks still have something that ruthless cisadmins call “a soft, bunch of interior” over the years, even if it looks as hard as their outer shell.
Statistics show that in more than 80% of attacks, RDP was misused to help attackers move from computer to computer when the attacker’s outer shell ruptured, known by the term prolix jargon. Lateral movement.
In other words, although many companies seem to have tightened their externally accessible RDP portals (something we can only appreciate), they still seem to rely heavily on so-called Perimeter defense As a primary cyber security tool.
But today’s networks, especially in a world with much more remote work and “telepresence” than three years ago, are really out of reach.
(As a real-world analogy, consider that many historic cities still have city walls, but they are now slightly more than tourist attractions that have been exploited in modern city centers.)
What do you do?
This is because knowing your cyberneticism makes you less likely to be surprised …
সহজ Our simple advice is Read the report.
John Shearer mentions in his conclusion:
Until [an] Exposed entry points have been closed, and what attackers have done to establish and retain access has been completely eliminated, allowing almost anyone to enter after them. And probably will.
Remember, this is not the one if you need help Acknowledgment of failure To ask for it
After all, if you don’t search your network to find danger points, you can be sure that cyber criminals will!
Not enough time or staff? Learn more about the Sophos-managed threat response:
Sophos MTR – Expert-led response 3
24/7 Threat Victims, Identification, and Response 3
