It Takes Less Than a Day for Attackers to Reach Active Directory – Companies’ Most Critical Asset
Sophos, a renowned global leader in pioneering cybersecurity services, has unveiled its latest contribution to the realm of digital security. The freshly released Active Adversary Report for Tech Leaders 2023 delves deep into the intricacies of attacker behaviors and tools during the initial half of this year. Through a meticulous analysis of Sophos Incident Response [IR] cases spanning from January to July 2023, Sophos X-Ops has unearthed some intriguing findings.
One noteworthy discovery centers around the shrinking median attacker dwell time—the period from the inception of an attack to its detection. This crucial metric has seen a reduction from 10 to 8 days across all attacks, and even more remarkably, down to a mere 5 days for ransomware attacks. A significant shift from the previous year, where the median dwell time diminished from 15 to 10 days.
Moreover, Sophos X-Ops brought to light that it now takes attackers, on average, less than a day—roughly 16 hours—to infiltrate Active Directory [AD], a cornerstone asset for most companies. AD manages identity and access to resources throughout an organization, granting attackers an avenue to easily escalate their privileges and engage in a spectrum of malicious activities.
John Shier, Sophos’ Field CTO, aptly highlighted the rationale behind targeting an organization’s Active Directory infrastructure: “Attacking an organization’s Active Directory infrastructure makes sense from an offensive view. AD is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources, and data that attackers can exploit in their attacks. When an attacker controls AD, they can control the organization. The impact, escalation, and recovery overhead of an Active Directory attack is why it’s targeted.”
Shier went on to emphasize the advantages adversaries gain by seizing control of the Active Directory server in their attack sequence. This control allows them to remain undetected, meticulously plotting their next steps. Once ready, they can traverse the victim’s network unhindered.
He further stressed the considerable effort required for a full recovery from a domain compromise, as such an attack undermines the very foundation of an organization’s security infrastructure, often necessitating a reset.
The report also illuminated the shrinking dwell time for ransomware attacks, which took center stage as the most prevalent attack type in the analyzed IR cases, constituting 69% of the cases. The median dwell time for these attacks was remarkably low at just 5 days. Of note, 81% of ransomware attacks launched their final payload outside traditional working hours. Among those deployed during business hours, a mere five occurred on weekdays.
Examining the temporal distribution of attacks, it emerged that the frequency of detections escalated as the week progressed, especially pronounced in the realm of ransomware attacks, where almost half [43%] were identified on Fridays or Saturdays.
Shier remarked on the dual-edged nature of progress in detection technologies. While advancements like XDR and MDR accelerate attack identification and response, thereby narrowing the operating window for attackers, the adversaries have honed their strategies. He cautioned that the leveling off of non-ransomware dwell times serves as a reminder that attackers are still breaching networks, albeit with a more deliberate approach.
He underscored the essential synergy between the right tools and continuous, proactive monitoring, advocating for Managed Detection and Response [MDR] services to bridge the gap between attackers and defenders.
Based on a comprehensive analysis of Sophos Incident Response investigations spanning 25 sectors and 33 countries across six continents from January to July 2023, the Sophos Active Adversary Report for Business Leaders offers invaluable insights. Notably, 88% of the cases involved organizations with fewer than 1,000 employees.
For security professionals, the Sophos Active Adversary Report for Tech Leaders serves as a trove of actionable threat intelligence and insights, enriching their approach to security strategy.
To delve deeper into the intricate landscape of attacker behaviors, tools, and techniques, the report titled “Time Keeps on Slippin’ Slippin’ Slippin’: The 2023 Active Adversary Report for Tech Leaders” is available for exploration on Sophos.com.