The active adversary landscape in 2022

The active adversary landscape in 2022

The adversaries lurking in your network are no longer just lone hackers in dark basements: today’s cybercriminals are seasoned professionals with access to significant resources and support from broader criminal networks. As cybercrime becomes a commercialized industry, businesses are struggling to keep up with increasingly sophisticated threats to their network security.

Author: Scott Barlow, Global Vice President of MSP and Cloud Alliances, Sophos

To better understand the current cyber threat landscape, the Sophos Managed Threat Response (MTR) team analyzed 144 security incidents across multiple industries in 17 countries. the 2022 Active Opponent Playbook reveals the top adversaries, attack behaviors, and tools seen in 2021 and well into 2022. Bad actors show no signs of slowing down any time soon, so it’s critical that managed service providers (MSPs) stay informed about these trends so they can more effectively protect customers.

Level up security operations with these 5 insights in mind

After analyzing cybersecurity incidents in the manufacturing, retail, healthcare, IT, construction, and education industries, our frontline threat detection and incident response team gained valuable insights to help MSPs and IT teams security to mitigate future threats. Let’s take a closer look.

1. Dwell times are on the rise. In a perfect world, the average dwell time for an intruder would be only a few seconds, limiting the opportunity for adversaries to carry out an attack. In reality, it can take up to weeks for an organization to identify an attacker in their environment. The average median dwell time increased to 15 days in 2021, compared to 11 days in 2020. And dwell times were even higher for small businesses and educational institutions (21 days and 34 days, respectively). This points to the fact that these organizations may not have adequate internal resources to proactively search for and respond to potential threats in real time.

2. Initial Access Brokers (IABs) are increasingly involved in attacks. The increase in dwell time also suggests that IABs may be involved in more attacks than the previous year. An IAB gains unauthorized access to an organization’s environment and sells the access to a cybercrime group for use in their attack. This information is also in line with the increased number of instances our team identified involving multiple malicious actors on a network at the same time, a trend that will continue to shape the cyber threat landscape in the future.

3. Ransomware attacks remain a major threat to security operations. Ransomware was involved in 73% of incidents in 2021, reigning as the most prevalent attack type in both 2020 and 2021. The rise of ransomware as a service (RaaS), another example of the professionalization of cybercrime, contributes significantly to the frequency. of these attacks. We identified 41 different ransomware adversaries across the 144 incidents investigated, with 28 new ransomware groups entering the scene in 2021. Meanwhile, 18 ransomware groups we identified in 2020 disappeared, demonstrating just how saturated and complex the cyber threat landscape is , and how fast it evolves. . The rapid pace of change makes ransomware attacks even more difficult to defend against due to constantly changing adversaries that an organization must watch and follow.

4. Bad actors’ tool sets are expanding. As cybercriminals have become more professionalized, their tools and tactics have become more sophisticated, with more than 525 different artifacts used by more attackers in 2021, which can be categorized into three types: legitimate and hacking tools, binaries of Microsoft and additional artifacts such as scripts. and services. We also saw an increase in the number of attacks where the adversary used a combination For example, PowerShell, PsExec, and Cobalt Strike occurred in 33% of cases in 2021, up from 12% in 2020.

5. Web Shell vulnerabilities pose a risk. The ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange servers have presented opportunities for attack by adversaries since 2021. There are likely to be many more attacks using web shells and backdoors that have yet to be discovered, so MSPs and security professionals should have an incident response plan in place.

If 2021 taught us anything, it’s that adversaries will take any opportunity they get to exploit widespread vulnerabilities. And the truth is that you are never immune from attack by a cybercriminal. So, as ransomware gangs and crypto miners refine their tools and tactics, you need to have the security knowledge and tools to protect your customers.

Download the 2022 Adversary Attack Report to learn more about the cyber threat landscape and what to expect from today’s adversaries.


Scott Barlow is Vice President, Global MSP and Cloud Alliances at Sophos. Read more Sophos guest blogs here. Regularly contributed guest blogs are part of the MSSP Alert sponsorship program.

Leave a Comment