Sophos Active Adversary Report Reveals Decrease in Attacker Dwell Time and Escalation to Active Directory in 2023

Sophos’ “Active Adversary Report for Tech Leaders 2023” reveals a decrease in attacker dwell time, with swift escalation to Active Directory within 16 hours. The report underscores the importance of proactive threat monitoring and Managed Detection and Response (MDR) to counter evolving attacker strategies.

25 August 2023 – Sophos, a renowned global cybersecurity innovator, has unveiled its “Active Adversary Report for Tech Leaders 2023,” offering a comprehensive analysis of attacker behaviors and methodologies in the first half of the year. The report underscores a notable reduction in median attacker dwell time, with a swift progression to control Active Directory (AD) observed within approximately 16 hours—a worrisome development for organizations.

During the initial six months of 2023, Sophos conducted an extensive examination of its Incident Response (IR) cases, revealing a considerable decrease in the median attacker dwell time from 10 to 8 days for all attacks and further reducing to 5 days for ransomware incidents. This trend indicates a proactive response to identify and mitigate threats swiftly. The report highlighted that attackers took an average of less than 24 hours to compromise Active Directory, a vital asset for organizations managing access and identities. By targeting AD, attackers can elevate their privileges, thereby amplifying the potential for malicious actions within a system.

John Shier, Field CTO at Sophos, noted that compromising Active Directory serves as an appealing offensive strategy for attackers due to its extensive privileges and access to various resources. Controlling AD essentially equates to controlling the entire organization, and the consequences of such an attack can be severe, requiring substantial recovery efforts. Shier further emphasized that while advancements in detection tools have expedited response times, organizations need to maintain continuous vigilance to ensure their defenses remain effective against evolving threats.

The report also highlighted shifts in ransomware attack patterns. These attacks dominated the incidents under investigation, comprising 69% of cases. The median dwell time for ransomware incidents was just 5 days. Remarkably, 81% of ransomware attacks deployed their final payloads outside conventional working hours, and Friday and Saturday emerged as prime days for attack detection. The increased adoption of technologies like Extended Detection and Response (XDR) and Managed Detection and Response (MDR) played a role in detecting attacks earlier, thereby shortening the operational window for attackers.

Shier pointed out that despite enhanced tools, the levelling off of non-ransomware dwell times demonstrates that attackers are still penetrating networks. MDR, he suggested, bridges the gap between defenders and attackers by providing continuous monitoring and proactive threat response.

Based on global Incident Response investigations across 25 sectors from January to July 2023, the Sophos Active Adversary Report for Tech Leaders furnishes security professionals with invaluable threat intelligence and insights, empowering them to refine and optimize their security strategies.

Author: Terry KS

Share This Post On