Cybercriminals are constantly looking for vulnerabilities to gain access to valuable computer systems. Cybersecurity company Sophos analyzed 232 incidents during the past 18 months and noted new attack vectors by sophisticated malware operators.
83% of incidents occurred in organizations with fewer than 1,000 employees. The companies studied came from a wide base: 35 nations and 25 business sectors. This broad scope ensures a wide representation of adversary behaviors that cybersecurity professionals can learn from.
Active adversaries are highly skilled cybercriminals, often equipped with powerful software and networking capabilities. They can be part of a professional cybercriminal network.
How Active Adversaries Operate
Active adversaries infiltrate organizations’ systems, evade detection, and continuously adapt their techniques, using keystroke and AI-based methods to bypass preventative security controls and execute their attacks. They continuously refine and adapt their threats.. They launch an attack, see what happens, and respond accordingly. If these predators don’t succeed the first time, they persist until they break through.
Prevalence
Cybercriminals target all sizes of organizations, including smaller companies. Their method of operation is generally to look for weaknesses, rather than target specific corporations. Although some mercenary organizations might be tasked with infiltrating critical infrastructure of an adversary nation for political advantage, and utilities and defense organizations would be high on that target list.
Lack of Multi-Factor Authentication (MFA) Leaves the Door Open to Adversaries
One thing that makes it easier for adversaries to abuse compromised credentials is the lack of multi-factor authentication (MFA) in many organizations. Well over a third (39%) of the incidents remediated in the first half of 2023 found that the victims did not have MFA configured.
If your company does not have MFA enabled, then your organization is probably a key target for these malefactors.
Attackers Target Off-hours
Another key finding is that adversaries actively target organizations when there’s a higher chance they won’t be detected (Sophos used data on ransomware attacks because they have the most reliable and objective indicators).
43% of ransomware attacks were launched on a Friday or Saturday in the victim’s time zone. Adversaries deliberately launch their attacks on these days so that they can work on them over the weekend – when IT teams are less likely to be actively monitoring and responding to security alerts.
9 in 10 attacks (91%) start outside of normal working hours in the victim’s time zone.
Key Defensive Postures:
Based on the insights from incidents remediated by Sophos incident responders, they recommend adopting the following steps to help enhance company resilience against active adversaries.
Increase Friction for Attackers Wherever Possible
If a company's defenses are strong and well-maintained, attackers have to work harder to subvert them. This takes time and increases the window of detection. Fancy techniques like “bring your own vulnerable driver” (BYOVD) attacks are fourth or fifth on most attackers’ list of options – after everything else fails and they are trying to find a way in.
Robust, layered defenses, including automated, adaptive protection creates friction for attackers and increases the skill level they need to succeed in breaching the defenses. Often they will give up and move on to easier targets.
Protect the Entire Company Ecosystem
Attackers will take advantage of any weak spot they can find to penetrate the business system and then move around as they escalate their attacks. Make sure that the entire ecosystem is protected – as it is only as strong as the weakest link. Strong defenses also provide valuable information, which can help to accelerate threat detection and response.
Maintain Vigilance
These disturbing developments mean that companies need to have active vigilance at all times and dates, even Christmas Day. They should be ready to investigate and respond promptly. Having a response plan is important, but so is quick action. Timely response can mean the difference between cleaning up a nuisance issue and rebuilding your entire environment from backups. Be sure to have response plans for the types of attacks most likely to affect your organization and practice implementing them with both the security practitioners and the other company stakeholders on who will need to respond to a crisis.