dotdailydose
Sophos, a global leader in innovating and delivering cybersecurity as a service, recently released “The Bite from Inside: The Sophos Active Adversary Report,” an in-depth look at the changing behaviors and attack techniques that adversaries used in the first half of 2024. The data, derived from nearly 200 incident response (IR) cases from across both the Sophos X-Ops IR team and Sophos X-Ops Managed Detection and Response (MDR) team, found that attackers are leveraging trusted applications and tools on Windows systems, commonly called “living off the land” binaries, to conduct discovery on systems and maintain persistence. When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.
Among the 187 unique Microsoft LOLbins detected in the first half of the year, the most frequently abused trusted application was remote desktop protocol (RDP). Of the nearly 200 IR cases analyzed, attackers abused RDP in 89% of them. This dominance continues a trend first observed in the 2023 Active Adversary report in which RDP abuse was prevalent in 90% of all IR cases investigated.
“Living-off-the-land not only offers stealth to an attacker’s activities but also provides a tacit endorsement of their activities. While abusing some legitimate tools might raise a few defenders’ eyebrows, and hopefully some alerts, abusing a Microsoft binary often has the opposite effect. Many of these abused Microsoft tools are integral to Windows and have legitimate uses, but it’s up to system administrators to understand how they are used in their environments and what constitutes abuse. Without nuanced and contextual awareness of the environment, including continuous vigilance to new and developing events within the network, today’s stretched IT teams risk missing key threat activity that often leads to ransomware,” says John Shier, field CTO, Sophos.
In addition, the report found that, despite the government disruption of LockBit’s main leak website and infrastructure in February, LockBit was the most frequently encountered ransomware group, accounting for approximately 21% of infections in the first half of 2024.
Other key findings from the latest Active Adversary Report:
- Root Cause of Attacks: Continuing a trend first noted in the Active Adversary Report for Tech Leaders, compromised credentials are still the number one root cause of attacks, accounting for the root cause in 39% of cases. This is, however, a decline from the 56% noted in 2023
- Network Breaches Dominate for MDR: When examining solely the cases from the Sophos MDR team, network breaches were the dominant incident the team encountered
- Dwell Times Are Shorter for MDR Teams: For cases from the Sophos IR team, dwell time (the time from when an attack starts to when it’s detected) has remained approximately eight days. However, with MDR, the median dwell time is just one day for all types of incidents and only three days for ransomware attacks
- The Most Frequently Compromised Active Directory Servers Are Nearing End of Life: Attackers most frequently compromised the 2019, 2016, and 2012 server versions of Active Directory (AD). All three of these versions are now out of mainstream Microsoft support—one step before they become end-of-life (EOL) and impossible to patch without paid support from Microsoft. In addition, a full 21% of the AD server versions compromised were already EOL
To learn more about attacker behaviors, tools and techniques, read “The Bite from Inside: The Sophos Active Adversary Report,” on Sophos.com.
Good post. I learn one thing more difficult on totally different blogs everyday. It’ll always be stimulating to learn content material from different writers and follow a little bit something from their store. I’d want to make use of some with the content material on my blog whether you don’t mind. Natually I’ll give you a link in your web blog. Thanks for sharing.
Aw, this was a very nice post. In thought I want to put in writing like this additionally – taking time and precise effort to make an excellent article… however what can I say… I procrastinate alot and on no account appear to get something done.
Does your site have a contact page? I’m having problems locating it but, I’d like to send you an email. I’ve got some ideas for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it expand over time.
This post has given me fresh perspective on the matter, much appreciated.
I have to show some thanks to you just for rescuing me from this scenario. After scouting throughout the the web and meeting techniques that were not productive, I figured my entire life was done. Living without the presence of solutions to the issues you have resolved by means of the posting is a critical case, as well as those which could have adversely affected my career if I had not noticed the blog. Your primary natural talent and kindness in maneuvering the whole lot was crucial. I’m not sure what I would have done if I had not come upon such a stuff like this. I’m able to at this point relish my future. Thanks a lot very much for your specialized and result oriented guide. I will not hesitate to endorse your web site to any individual who should receive counselling on this situation.
I like what you guys are up too. Such smart work and reporting! Keep up the superb works guys I¦ve incorporated you guys to my blogroll. I think it will improve the value of my web site 🙂
excellent submit, very informative. I’m wondering why the other specialists of this sector do not notice this. You must continue your writing. I’m confident, you’ve a huge readers’ base already!
I reckon something genuinely special in this site.
I’ll right away grab your rss feed as I can not find your e-mail subscription link or newsletter service. Do you have any? Please let me know in order that I could subscribe. Thanks.
Thanks for the good writeup. It actually was once a entertainment account it. Glance complex to more brought agreeable from you! By the way, how can we keep up a correspondence?
Your site doesn’t render appropriately on my apple iphone – you may want to try and fix that