Threat actors spent a median of 15 days inside victim networks last year, an increase of over a third from the previous year, according to new data from Sophos.
The security vendor’s Active Adversary Playbook 2022 was compiled from data on 144 cases collected by Sophos incident response teams in the wild.
It claimed the increase in dwell time is down mainly to the exploitation of ProxyLogon and ProxyShell vulnerabilities last year and the emergence of initial access brokers (IABs) as an integral part of the cybercrime underground.
Dwell time was longer for smaller organizations: 51 days in SMEs with up to 250 employees versus 20 days in organizations with 3,000 to 5,000 employees.
“Attackers consider larger organizations to be more valuable, so they are more motivated to get in, get what they want and get out. Smaller organizations have less perceived ‘value,’ so attackers can afford to lurk around the network in the background for a longer period,” argued Sophos senior security advisor, John Shier.
“It’s also possible these attackers were less experienced and needed more time to figure out what to do once they were inside the network. Lastly, smaller organizations typically have less visibility along the attack chain to detect and eject attackers, prolonging their presence,”
In many cases Sophos investigated, multiple adversaries, including ransomware actors, IABs, cryptominers and others, targeted the same organizations simultaneously.
“If it’s crowded within a network, attackers will want to move fast to beat out their competition,” said Shier.
The data is somewhat at odds with Mandiant figures released in April, which revealed dwell time decreased globally by nearly 13% over the same period, to 21 days. However, although the percentage drop was even greater in EMEA, it stood at 48 days in 2021.
Advanced detection and response appear to be lacking in many organizations. Although Sophos saw a decline in the exploitation of RDP for initial access, from 32% in 2020 to 13% last year, its use in lateral movement increased from 69% to 82% over the period.
Other commonly detected tools and techniques were: PowerShell and malicious non-PowerShell scripts, combined in 64% of cases; PowerShell and Cobalt Strike (56%); and PowerShell and PsExec (51%).
Sophos said that detecting the presence of such correlations could help firms spot the early warning signs of a breach.