Globally, the median dwell time for attackers dropped from 15 days to 10 days last year, according to Sophos, a drop that suggests attackers are reaching their goals faster. There is a possibility.
security vendors Sophos Active Adversary Report for Business Leaders From 152 incident response investigations worldwide.
Non-ransomware dwell time was reduced from 34 days last year to 11 days, and ransomware-related breach dwell time was reduced from 11 to 9 days.
For dwell time details, global dwell time is declining, but EMEA is lagging behind.
A Mandiant study released last week found the global median to be 16 days, the lowest since tracking the statistic began more than a decade ago.
However, as the Google-owned intelligence vendor claimed at the time, this is not necessarily a sign that network defenders are getting better at spotting attacks. Attackers may increasingly want to go through the stages of their chain of kills and be detected more quickly.
Sophos also cautioned against oversimplified interpretation of the data.
“The good news is that it may show improved detection of active attacks. This is a real improvement for defenders and their capabilities,” it claims. “The bad news is that attackers may be accelerating their attacks in response to better detection capabilities. See if you see any significant changes in ongoing interactions in
Elsewhere, Sophos revealed that exploited vulnerabilities were the most common method of initial access, accounting for 37% of breaches analyzed. More than half (55%) of these exploited the ProxyShell or Log4Shell vulnerabilities, requiring the victim organization to patch them at the time.
The second most common method of initial access is credential compromise (30%), which according to Sophos is often an indication of an initial access broker (IAB).
Nearly one-fifth (17%) of incidents had an “unknown” root cause. To improve visibility, organizations need to improve logging and log backups, he argues Sophos.
“The ‘unknown’ problem is that it prevents a complete repair. If your organization doesn’t know how attackers get in, how do you remediate the problem to prevent future attacks?” the report noted.
“Sometimes attackers wipe data to clear their tracks, but other times they reimage systems before defenders can start investigating. Worst of all, some organizations never collect evidence in the first place.”
