The playbook is based on Sophos telemetry as well as 81 incident investigations and insight from the Sophos Managed Threat Response (MTR) team of threat hunters and analysts and the Sophos Rapid Response team of incident responders. The aim is to help security teams understand what adversaries do during attacks and how to spot and defend against malicious activity on their network.
Key findings in the playbook include:
Advertisement
•The median attacker dwell time before detection was 11 days – To put this in context, 11 days potentially provide attackers with 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more. Considering that some of these activities can take just minutes or a few hours to implement – often taking place at night or outside standard working hours – 11 days offer attackers plenty of time to cause damage in an organization’s network. It is also worth noting that ransomware attacks t
May 24, 2021
Cyber attacks often go undetected in organisations’ systems, usually only detected when a ransom demand is made.
This is one of the findings in Sophos’s “Active Adversary Playbook 2021”, which details attacker behaviors and the tools, techniques and procedures (TTPs) that Sophos’ frontline threat hunters and incident responders saw in the wild in 2020. The TTP detection data also covers early 2021.
The findings show that the median attacker dwell time before detection was 11 days (264 hours), with the longest undetected intrusion lasting 15 months.
Ransomware featured in 81% of incidents and 69% of attacks involved the use of the remote desktop protocol (RDP) for lateral movement inside the network.
Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime, APT Groups
Incident response cases and research show how the red-team tool has become a become a go-to for attackers.
RSA CONFERENCE 2021 - For nearly two decades, the open source Metasploit hacking platform has garnered a mix of enthusiasm and frustration by security teams that both need the tools to test their own networks but also fear cybercriminals or other bad actors could use it against them in attacks.
Metasploit remains popular today among good and bad hackers, but another red-team tool, Cobalt Strike, is increasingly playing a major role in attacks. Attackers are weaponizing the tool for the second stage of attacks to carry payloads (including Metasploit exploits) once they have penetrated the victim s network using customized, cloned, or even purchased versions of Cobalt Strike.