Sophos, a cybersecurity-as-a-service provider, disclosed in its Active Adversary Report that cyber attackers have been erasing crucial telemetry or logs from targeted organizations, hampering visibility into their networks.
The Sophos report analyzed 232 Incident Response (IR) cases from January 2022 to June 2023. It highlighted that in nearly 42% of these cases, telemetry logs were missing, with cybercriminals deliberately disabling or wiping them out in 82% of instances to cover their tracks.
“Missing telemetry only adds time to remediations that most organizations can’t afford,” said John Shier, field CTO, Sophos. “This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organizations don’t have the data they need.”
Sophos: Ransomware is crippling retail organizations
Sophos: Cybercriminals encrypt data in 75% of ransomware attacks
The report drew from cases across 25 sectors in 34 countries, mainly from organizations with fewer than 1,000 employees. It aims to guide security practitioners in shaping more effective defensive strategies by offering actionable insights.
Slow and fast ransomware attacks
In the report, Sophos classifies ransomware attacks with a dwell time of less than or equal to five days as “fast attacks,” which accounted for 38% of the cases studied. “Slow” ransomware attacks are those with a dwell time greater than five days, which accounted for 62% of the cases.
Despite varying attack speeds, the tools and techniques used by attackers remained consistent, implying that defensive strategies need not radically change as dwell times decrease. However, the absence of telemetry poses a challenge, impeding quick responses and exacerbating destruction.
“The same defenses that detect fast attacks will apply to all attacks, regardless of speed,” Shier explained. “This includes complete telemetry, robust protections across everything, and ubiquitous monitoring.”