Cyber attackers have been staying way too long on a website or systems under attack, sometimes undetected. According to Sophos’ latest report “Active Adversary Playbook 2022,” there is a 36% increase in dwell time, with a median intruder dwell time of 15 days in 2021 as opposed to 11 days in 2020.

The cybersecurity solutions firm attributed the increase to the exploitation of ProxyLogon and ProxyShell vulnerabilities and initial access brokers (IAB). It also noted that the dwell time is longer in smaller organizations’ environments with attackers lingering on for approximately 51 days in organizations with up to 250 employees. In contrast, they typically spent 20 days in organizations with 3,000-5,000 employees.

“Attackers consider larger organizations to be more valuable, so they are more motivated to get in, get what they want, and get out,” said John Shier, senior security advisor at Sophos.”Smaller organizations have less perceived ‘value,’ so attackers can afford to lurk around the network in the background for a longer period. It’s also possible these attackers were less experienced and needed more time to figure out what to do once they were inside the network. Lastly, smaller organizations typically have less visibility along the attack chain to detect and eject attackers, prolonging their presence.”

Sophos uncovers Squirrelwaffle malware, financial fraud attacks
Sophos uncovers liquidity mining cryptocrime

The median attacker dwell time before detection was longer for “stealth” intrusions that had not unfolded into a major attack such as ransomware, and for smaller organizations and industry sectors with fewer IT security resources. The median dwell time for organizations hit by ransomware was 11 days. For those that had been breached, but not yet affected by a major attack, such as ransomware (23% of all the incidents investigated), the median dwell time was 34 days. Organizations in the education sector or with fewer than 500 employees also had longer dwell times

The report also saw that longer dwell times and open entry points leave organizations vulnerable to multiple attackers. Forensic evidence uncovered instances where multiple adversaries, including IABs, ransomware gangs, cryptominers, and occasionally even multiple ransomware operators, were targeting the same organization simultaneously.

The Sophos Active Adversary Playbook 2022 is based on 144 incidents in 2021, targeting organizations of all sizes, in a wide range of industry sectors in different parts of the world.