Attacker Dwell Time Rises with ProxyLogon, ProxyShell Vulnerabilities
Intruder dwell time increased by 36% in 2021 as malicious actors exploited ProxyLogon and ProxyShell vulnerabilities, according to a report from Sophos.
The report was based on 144 incidents targeting organizations of all sizes in a wide range of industry sectors and revealed a median intruder dwell time of 15 days in 2021 versus 11 days in 2020.
Attackers lingered for approximately 51 days in organizations with up to 250 employees, while they typically spent 20 days in organizations with 3,000 to 5,000 employees.
Failing at Prevention and Detection
John Shier, senior security advisor at Sophos, said an increase in dwell time is worrying because it means organizations are failing at both prevention and detection.
“As a defense strategy, prevention is incredibly important. It automatically reduces the number of threats that make it into an organization,” he said. “But we know prevention won’t catch everything, and that’s where detection steps in.”
To do detection right, organizations must have the right mix of tools, contextual awareness of the environment and humans who can react to threats.
He said the longer an adversary is in the network, the deeper they can penetrate it and the higher the likelihood of reaching mission-critical systems or data.
Longer Dwell Times Can Set the Stage for Ransomware
Longer dwell times also give initial access brokers more time to sell their victims to other criminals, like ransomware gangs.
“Crucially, longer dwell times mean that the weakness that was used to breach the organization is still available for other criminals to abuse, and they often will,” he said.
Rick Holland, CISO and vice president of strategy at Digital Shadows, called a 15-day dwell time “an eternity”, one which significantly increases the chances of the adversary accomplishing its objectives.
“Of all the detection and response metrics, dwell time is one you want to decrease and not grow,” he said.
John Bambenek, principal threat hunter at Netenrich, agreed, noting the longer attackers can dwell in a victim’s environment, the more thorough they can be in the damage they cause.
“For example, more time means ransomware operators can ensure they take down all of an organization’s infrastructure and not just part of it,” he said.
The study also found intruder dwell time was longer in smaller organizations’ environments, and Shier noted smaller businesses generally struggle with resourcing, both technological and human.
“This often means that defenses will be limited to basic prevention technologies that can only solve part of the problem of keeping intruders out of their networks,” he said. “As such, attackers can easily take advantage of this reduced capability and visibility.”
Holland added that smaller organizations are a target-rich environment because they don’t have the same prevention, detection and response resources as larger companies.
“These security ‘have-nots’ are particularly vulnerable, as a result,” he said. “SMEs should look for security ecosystem solutions to protect their environments versus trying to implement disparate best-of-breed technology they don’t have the staff to implement and operate successfully.”
Bambenek added SMEs often lack the same tools and budgets enterprises have and are more likely to have a harder time getting cyberinsurance.
“An incident could become a door-closing event for them,” he said.
Shier pointed out many SMEs provide valuable products and services and are also an important part of economic growth—when one gets attacked, it imperils their ability to provide those goods and services.
“It’s also important to remember that many SMEs are part of someone else’s supply chain,” he said. “An attack on an SME can result in a breach at a much larger company, with greater impact.”
The survey found While 73% of cases resulted in ransomware, the remaining cases were limited to more benign threats like cryptominers and network intrusions.
There were additional cases where, after a complete investigation, no threat was found, which means that many companies can detect an attack before it gets to the ransomware stage, and others are acting on suspicious signals to ensure that what they’re seeing is not an active attack.
“As more companies adopt both prevention and detection technologies, we will hopefully see a positive impact,” Shier said. “For organizations that don’t have internal capabilities, managed detection and response services can fill the gap. In a crowded threat landscape with complex threats, there’s no reason not to ask for help if you need it.”
Bambenek added that security isn’t just a technology problem, but a humanity problem.
“People have been killing and thieving long before we even have documented human history,” he said. “Security teams need to realize this and define success accordingly. We aren’t ever going to ‘solve’ cybersecurity—we can only stop attacks and celebrate the little wins.”
