Know your enemy! Learn how cybercrime adversaries get in…

Over on our sister site, Sophos News, we’ve just published some fascinating and informative insights into cybercriminals…

…answering the truly practical question, “How do they do it?”

In theory, the crooks can (and do) use any and all of thousands of different attack techniques, in any combination they like.

In real life, however, good risk management says that it’s smart to focus on the the biggest problems first, even if they’re not the most glamorous or exciting cybersecurity topics to get stuck into.

So, in real life, what really works for the cybercrooks when they initiate an attack?

Just as importantly, what sort of things do they do once they’ve broken in?

How long do they tend to stick around in your network once they’ve created a beachhead?

How important is it to find and treat the underlying cause of an attack, instead of just dealing with the obvious symptoms?

The Active Adversary Playbook

Sophos expert John Shier dug into the incident reports of 144 real-life cyberattacks investigated by the Sophos Rapid Response team during 2021.

What he found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.

Notably:

  • Unpatched vulnerabilties were the entry point for close to 50% of the attackers.
  • Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.
  • Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)
  • RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.

Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.

In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.

This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.

As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.

After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.

Who makes ransomware attacks so devastating?

Importantly, there are entire cliques of cybercriminality that aren’t into the outright confrontation of the ransomware gangs.

These “non-ransomware” crooks include a significant group known in the trade as IABs, or initial access brokers.

IABs don’t derive their unlawful income from extorting your business after a violently visible attack, but from aiding and abetting other criminals to do so.

Indeed, these IAB criminals could do your business much more harm in the long run than ransomware attackers.

That’s because their typical goal is to learn as much about you (and your staff, and your business, and your suppliers and customers) as they can, over as long a period as they like.

Then they make their unlawful income by selling that data on to other cybercriminals.

In other words, if you’re wondering how ransomware crooks are often able to get in so quickly, to map out networks so thoroughly, to attack so decisively, and to make such dramatic blackmail demands…

…it may very well be because they bought their very own ready-to-use “Active Adversary Playbook” from earlier crooks who had roamed quietly but extensively through your network already.

RDP still considered harmful

One bit of good news is that RDP (Microsoft’s Remote Desktop Protocol) is much better protected at the average company’s network edge these days, with fewer than 15% of attackers using RDP as their initial entry point. (The year before, it was more than 30%.)

But the bad news is that many companies still aren’t embracing the concept of Zero Trust or Need-to-know.

Many internal networks still have what cynical sysadmins have for years been calling “a soft, gooey interior”, even if they have what looks like a hard outside shell.

That’s revealed by the statistic that in more than 80% of the attacks, RDP was abused to help the attackers jump from computer to computer once they’d cracked that outer shell, in what’s known by the prolix jargon term lateral movement.

In other words, even though many companies seem to have hardened their externally-accessible RDP portals (something we can only applaud), they still seem to be relying heavily on so-called perimeter defences as a primary cybersecurity tool.

But today’s networks, especially in a world with much more remote working and “telepresence” than three years ago, don’t really have a perimeter any more.

(As a real-world analogy, consider that many historic cities still have city walls, but they’re now little more than tourist attractions that have been absorbed into modern city centres.)

What to do?

On the grounds that knowing your cyberenemy makes it less likely that you will be taken by surprise…

…our simple advice is to Read the Report.

As John Shier points out in his conclusion:

Until [an] exposed entry point is closed, and everything that the attackers have done to establish and retain access is completely eradicated, just about anyone can walk in after them. And probably will.

Remember, if you need help then it’s not an admission of failure to ask for it.

After all, if you don’t probe your network to find the danger points, you can be sure that cybercriminals will!


Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶