Attack Dwell Times Fall but Threat Actors Are Moving Faster

Written by

The dwell time of cyber-attacks fell to a median of eight days in the first half of 2023, but attackers are moving faster to make the most of shorter operating windows, a new report from Sophos has found.

The eight-day median dwell time represents a reduction two days compared to Sophos’ 2022 findings. Dwell time is the period between when an attack begins and when it is detected – reducing this timeframe enables a faster response from defenders and a shorter operating time for attackers.

The median dwell time was particularly low for ransomware attacks, falling from nine days in 2022 to five days in H1 2023.

While welcoming the ability of security teams to detect attacks faster, John Shier, field CTO at Sophos, warned that threat actors are adapting their approaches in response.

“Criminals have been honing their playbooks, especially the experienced and well-resourced ransomware affiliates, who continue to speed up their noisy attacks in the face of improved defenses,” he explained.

One frequent tactic employed by ransomware gangs is to launch attacks outside of traditional working hours, at times when security staff are less available. For example, in 81% of ransomware attacks analyzed by Sophos in H1 2023, the final payload was launched outside of traditional working hours, and for those that were deployed during business hours, only five happened on a weekday.

In addition, nearly half (43%) of ransomware attacks were detected on either a Friday or Saturday.

Read here: How to Mitigate the Impact of Cyber Staff Absences During the Summer Break

Rapid Access to Active Directory

The researchers also observed that attackers are moving faster to access Active Directory (AD) systems, on average access takes about 16 hours.

“It would appear that attackers are making a concerted effort to move laterally to AD servers as quickly as possible, and with good reason,” he added.

AD systems manage identity and access to resources across an organization, meaning attackers can use AD to easily escalate their privileges on a system enabling them to log in and carry out a wide range of malicious activity.

The report also noted that recovering from a domain compromise can be a “lengthy and arduous effort” and often means a security team has to start from scratch.

Shier said that Sophos’ investigations had found that most AD servers are only protected by Microsoft Defender, which adversaries had become “very adept” at disabling. This technique made up 43% of AD attacks in H1 2023, up from 36% in 2022. 

What’s hot on Infosecurity Magazine?