Attackers aren’t slowing down, here’s what researchers are seeing
In this Help Net Security interview, John Shier, Senior Security Advisor at Sophos, talks about the main findings of two Sophos reports: the 2022 Active Adversary Report and the State of Ransomware Report, which provide an exceptional overview of the modern threat landscape.
We know Sophos is planning to launch its Sophos 2022 Active Adversary Report at RSAC this year. Can you give us a high-level overview of the report? Any key findings or trends that are different from last year’s report?
Intruder dwell time has increased 36% over last year, with the median going from 11 days to 15 days. However, there was some interesting variability within this statistic. Ransomware victims saw lower median dwell times (11 days) compared to non-ransomware attacks (34 days), and smaller organizations saw the longest average dwell times. Nearly half (47%) of the attacks were the result of an exploited vulnerability. For example, easily exploited vulnerabilities like ProxyLogon and ProxyShell featured prominently in this year’s data. This trend was likely led by initial access brokers (IAB) who specialize in gaining initial access into networks and selling that access to all types of cybercriminals.
The combination of IABs and easily exploited vulnerabilities was one of the reasons we saw dwell times increase in 2021. Once compromised by an IAB, a victim might “sit on the shelf” until they were bought by another criminal, or the breach was finally detected. Many organizations are likely in this state right now. In some cases, due to there being a pre-existing condition that allowed easy access into a network, this resulted in multiple attackers victimizing the same target.
One piece of good news was that, in 2021, RDP use for external access decreased from 2020. This is likely due to emergency pandemic access being pulled back in favour of more secure and permanent solutions. But, RDP use for internal lateral movement increased, going from 69% to 82%, since last year’s report.
What attacker behaviors, tactics, techniques and procedures (TTPs) are you seeing emerge this year?
The major trend this year was that of exploiting vulnerabilities on externally-facing services for initial access. This included not only the ProxyLogon and ProxyShell vulnerabilities, but also vulnerabilities impacting many VPN and firewall deployments. While it might be tempting to think that this is an evolving trend, it was more of an opportunistic smash and grab. In most cases, a patch was available prior to the attack. The exploits manifested into a higher than normal amount of web shells found on victim networks. IABs likely accounted for much of this activity.
Another trend was the continued reliance on initial access through remote services, but with valid accounts. The lack of multi-factor authentication (MFA) on these remote services meant that attackers were able to walk through the front door undetected. In most cases, it was not possible to determine where these valid credentials came from. They could have been harvested through phishing campaigns or by credential stealers. They could also be from old breaches, where password re-use was the culprit. This could also be the work of IABs or other credential merchants.
Further down the attack chain, we saw the now-familiar set of legitimate and hacking tools being used for all sorts of purposes. PowerShell, malicious scripts (excluding PowerShell), PsExec, Cobalt Strike, mimikatz, and AnyDesk were among the top tools used to facilitate the attacks. The list also saw LoLBins like “net.exe”, “rundll32.exe”, “whoami.exe”, and “schtasks.exe” make an impact.
Let’s talk about ransomware. Attackers aren’t slowing down; in fact, ransomware attacks are almost ubiquitous. What is Sophos seeing?
Sophos continues to see high numbers of victims falling prey to ransomware criminals. This ever-present threat is one that’s seeing some shift in tactics, but no sign of abatement. For example, there continues to be a trend towards data theft extortion only, versus the traditional encryption plus data theft extortion. As recovery has gotten better, and payments have declined, some groups are opting to simply stealing data and threatening to publish it publicly. This has incentivized many victims to pay for fear of being outed to their customers, business partners, or privacy regulators, by the criminals.
Either way, ransomware is the most visible threat there is. This sometimes hides that fact that ransomware is very much an endgame. In nearly every case, the victim had already been compromised by one or more threats on the way to becoming a ransomware victim. To protect against ransomware, organizations need to lay the security foundation that will help them fight all threats.
Sophos just released its annual State of Ransomware Report, which found that the impact of a ransomware attack is immense, with nearly triple the amount of organizations being hit have paid more than $1M in ransom – have we reached the height of ransomware?
It’s impossible to know if we’ve hit peak ransomware until we’re on the other side of it, and there’s no reason to suspect that ransomware is going away any time soon. There is simply too much money to be made, and unfortunately, there are too many potential victims for this threat to go away. Now that Russia has seemingly given their tacit approval to homegrown criminals attacking the West, the problem can only get worse. No longer is there fear of potential arrest, and whatever will cause the West the most pain is probably encouraged. Even going after critical infrastructure. If we don’t seriously build resilience into our collective networks, ransomware criminals will continue plying their trade so long as there are victims to exploit.
How can real-time, human-led threat hunting help organizations stop ransomware attacks in their tracks?
It often takes a human to detect another human stealthily moving around the network. Automated tools can only take you so far, and then you need the contextual and analytical skills that humans possess. But, this level of defense is not where the story begins. This type of activity is further along the security maturity spectrum than where most companies are today.
Before starting a threat hunting program, organizations must establish a strong security foundation. This includes, but is not limited to, establishing secure defaults, prioritizing your patching to high-value and external assets, and hardening identity with MFA. It means using prevention technologies to limit the amount of threats that get through in the first place.
Finally, they need to implement detection and response tools that fit their needs. Now they can start hunting for threats using the telemetry provided by their security tools. But, not all organizations will be able to establish a threat hunting program. This is why it’s important to seek help wherever they need it. Managed MDR services, like those offered by Sophos, can take the burden away from the IT team so they can focus on establishing and maintaining the all-important security foundation the company relies on to fight today’s threats.
How does a layered security approach work, and why is it so critical in protecting against ransomware and other threats?
The paradigm behind a layered security approach is that we acknowledge that no single technology can stop all threats, therefore we need to assemble a set of technology controls to mitigate as much risk as possible. Each control will have strengths and weaknesses. However, layered defense isn’t just about technology. We also need to account for how business processes and people can act as mitigating controls against risk.
We can think of each control as a slice of Swiss cheese. Each slice has its inherent strengths and weaknesses (holes). The more slices you stack, the better your odds of protecting against today’s attacks, including ransomware. The conceit, however, is that even with this approach threats can still get through. This is where humans can act as one of those controls. Given the right mix of signals and context, humans excel at spotting malicious activity. So, it’s important to use technologies that are engineered to work together to provide the relevant information and context needed for the analysts to spot the active adversary.