Attackers lurk longer in smaller organizations - report


Threat actors consider bigger companies more valuable and are motivated to get in and get what they want as quickly as possible.

On average, intruders lurk for 51 days in organizations with up to 250 employees, while they typically spend 20 days in companies with 3,000 to 5,000 employees, Sophos researchers found.

According to the company's report Active Adversary Playbook 2022, intruders' dwell time increased by 36% to 15 days in 2021, compared to 11 days in 2020.

"Smaller organizations have less perceived 'value,' so attackers can afford to lurk around the network in the background for a longer period," the company's senior security advisor John Shier said.

Another possibility is that malicious hackers are inexperienced and simply need more time to figure out what to do once they manage to breach the company.

"Smaller organizations typically have less visibility along the attack chain to detect and eject attackers, prolonging their presence. With opportunities from unpatched ProxyLogon and ProxyShell vulnerabilities and the uprise of initial access brokers (IABs), we're seeing more evidence of multiple attackers in a single target. If it's crowded within a network, attackers will want to move fast to beat out their competition," Shier added.

Attackers lurked for 11 days in organizations before hitting them with ransomware. The longer median dwell time was for smaller sectors with fewer IT security resources, and those intrusions had not unfolded into a significant attack like ransomware.

Sophos said that longer dwell times and open entry points lead to multiple attackers exploiting the organization. Forensic evidence point to instances where multiple adversaries simultaneously targeted the same organization.

Last year, researchers noticed a drop in using the remote desktop protocol (RDP) for external access. This suggests that organizations have improved their management of external attack services. However, threat actors use RDP for internal lateral movement.

According to Sophos, Conti accounted for 18% of incidents in 2021. Researchers identified 41 different ransomware adversaries, with 28 of them first reported in 2021.

"The red flags that defenders should look out for include the detection of a legitimate tool, combination of tools, or activity in an unexpected place or at an uncommon time," said Shier. "It is worth noting that there may also be times of little or no activity, but that doesn't mean an organization hasn't been breached. There are, for instance, likely to be many more ProxyLogon or ProxyShell breaches that are currently unknown, where web shells and backdoors have been implanted in targets for persistent access and are now sitting silently until that access is used or sold."