Among the 500 unique tools and techniques that many cyberattackers are using, Sophos’ research found “Living off the Land” binaries (LOLBins) are among the most used these days.

The cybersecurity solutions company analyzed more than 150 Sophos Incident Response (IR) cases and from there identified more than 500 unique tools and techniques, including LOLBins.

Sophos explained in its “Active Adversary Report for Business Leaders” that, unlike malware, LOLBins are executables and are naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity.

Cybercriminals scam each other — Sophos
Sophos explores how ChatGPT can fortify cybersecurity defenses 

“When today’s attackers aren’t breaking in, they’re logging in,” John Shier, field CTO, Sophos, said in a statement. “The reality is that the threat environment has grown in volume and complexity to the point where there are no discernible gaps for defenders to exploit.”

The Sophos Active Adversary Report for Business Leaders is based on 152 incident response (IR) investigations spanning the globe across 22 sectors.

Ransomware

Aside from LOLBins, Sophos also found that unpatched vulnerabilities were the most common root cause of attackers gaining initial access to targeted systems. The report stated that in half of the investigations included in the report, attackers exploited ProxyShell and Log4Shell vulnerabilities (vulnerabilities from 2021) to infiltrate organizations. The second most common root cause of attacks was compromised credentials.

Ransomware remains the most common threat as evidenced by the findings of Sophos wherein 68% of the reports are of ransomware. Ransomware also accounted for nearly three-quarters of Sophos’ IR investigations over the past three years. 

However, according to the report, attacker dwell time was reduced from 15 to 10 days in 2022. For ransomware cases, the dwell time decreased from 11 to 9 days, while the decrease was even greater for non-ransomware attacks. The dwell time for the latter declined from 34 days in 2021 to just 11 days in 2022. 

“Unlike in past years, there was no significant variation in dwell times between different-sized organizations or sectors,” Sophos said.

The race between attackers and defenders will continue to escalate and those without proactive monitoring will suffer the greatest consequences,” said Shier.