In recent monitoring conducted by Sophos, the cybersecurity solutions provider revealed that cybercriminals are now capable of reducing the time required to reach an organization’s most critical asset, the active directory (AD), to approximately 16 hours.

Sophos reported that once attackers gain control of the AD, which manages identity and resource access across an organization, they can easily execute malicious activities.

“Getting to and gaining control of the AD server in the attack chain provides adversaries several advantages,” said John Shier, field CTO of Sophos. “They can linger undetected to determine their next move, and, once they are ready to go, they can blast through a victim’s network unimpeded.”

Sophos: Hackers utilize LOLbins to attack organizations
CryptoRom scammers target Twitter, SMS users — Sophos

Shier pointed out that an attack on the AD undermines the foundational security on which an organization’s infrastructure relies. Following a successful AD attack, security teams will have to start from scratch.

“Full recovery from a domain compromise can be a lengthy and arduous effort,” Shier said. 

Dwell time

Sophos also observed improvements in threat detection, as indicated by reduced dwell times, the period spanning from the launch of an attack to its detection. In 2022, the median dwell time decreased from 15 to 10 days, as per Sophos data. Dwell times have further diminished to eight days for all attack types and to five days specifically for ransomware attacks.

Among the analyzed incident response (IR) cases, ransomware attacks emerged as the most prevalent form of attack, constituting 69% of investigated instances. Also, 81% of ransomware attacks launch their final payloads outside traditional working hours; of those deployed during business hours, five occurred on weekdays.

Sophos observed that the frequency of detected attacks surged as the week progressed, with ransomware attacks standing out. Almost half (43%) of ransomware attacks were identified on either Fridays or Saturdays.

Proactive monitoring

“Lowering detection times leads to a faster response, which translates to a shorter operating window for attackers,” Shier said.

Shier emphasized that organizations cannot afford to be complacent, as cybercriminals persistently refine their capabilities and “continue to infiltrate and persist within networks.”

“But all the tools in the world won’t save you if you’re not watching,” he said. “It takes both the right tools and continuous, proactive monitoring to ensure that criminals have a worse day than you do.”