Sophos’ Active Adversary Report exposes critical gaps in telemetry logging, revealing that 42% of attack cases lacked essential logs. With 82% of instances involving intentional telemetry deletion by cybercriminals, the report underscores the urgency for organizations to address this issue to enhance visibility and bolster incident response capabilities.
27 November 2023 – Sophos, a global leader in cybersecurity services, has unveiled its Active Adversary Report for Security Practitioners, exposing critical deficiencies in telemetry logs during cyber attacks. The report, covering Incident Response (IR) cases analyzed from January 2022 through the first half of 2023, discloses that telemetry logs were absent in nearly 42% of the cases, with cybercriminals disabling or erasing telemetry in 82% of those instances to conceal their activities.
Gaps in telemetry pose a substantial threat to organizations’ visibility into networks and systems, particularly as the dwell time of attackers continues to decrease. Dwell time, the time from initial access to detection, is a crucial factor in effective incident response. John Shier, field CTO at Sophos, emphasized the urgency of shortening the time between detecting a threat and full mitigation, stating, “Missing telemetry only adds time to remediations that most organizations can’t afford.”
The report classifies ransomware attacks into “fast” (dwell time ≤ 5 days) and “slow” (dwell time > 5 days) categories. Surprisingly, fast attacks accounted for 38% of cases, emphasizing the need for swift response measures. However, when analyzing the tools and techniques employed in both fast and slow attacks, Sophos found minimal variation, suggesting that defenders do not need to overhaul their strategies despite the shrinking dwell time.
Shier highlighted that cybercriminals innovate only when necessary, making it feasible for organizations to maintain consistent defensive strategies. He recommended increasing friction in defensive measures, making it harder for attackers to navigate each stage of an attack.
The Sophos Active Adversary Report is based on 232 Sophos Incident Response cases across 25 sectors globally, involving organizations of various sizes. The report serves as a valuable resource, offering actionable intelligence for security practitioners to enhance their defensive strategies.
