Here I go learning again. How creepy is it that some of these attackers will hang out spying on all you do for months!!!!!!!
And the smaller your business- THE MORE AT RISK YOU ARE… I would have assumed just the opposite- guess that’s why they say what they say about those that Ass-u-me…
by Paul Ducklin
Sophos expert John Shier dug into the incident reports of 144 real-life cyberattacks investigated by the Sophos Rapid Response team during 2021.
What he found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.
- Unpatched vulnerabilties were the entry point for close to 50% of the attackers.
- Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.
- Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)
- RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.
Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.
In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.
This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.
As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.
After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.