Sophos released the Active Adversary Playbook 2021 on May 18, detailing how attackers behave, as well as what tools, techniques, and procedures (TTP) threat detectors and incident responders witnessed in 2020 and early 2021.
The median amount of time hackers spent in breached systems without being detected is about 11 days or about 264 hours. The longest undetected breach lasted 15 months.
About 81% of the incidents had ransomware features and 69% of the attacks used remote desktop protocol to drive lateral access inside networks.
What the investigations uncovered
The playbook is based on Sophos’ telemetry and 81 investigations by its MTR (Managed Threat Response) team of threat analysts and hunters, as well as the Sophos Rapid Response team that responds to incidents.
The goal is to help secure against adversaries by understanding things like:
- The medial attacker dwell time before detection was 11 days
- 90% of the attacks used RDP and in 69% of cases RDP was used to gain lateral movement in networks
- There are correlations among the top five tools found in victim networks (Cobalt Strike is in 58% of cases, PsExes is in 49% and Mimikatz is in 33%). Sometimes they are used together.
A playbook is necessary
John Shier, the senior security advisor at Sophos, said that the threat landscape is changing, getting crowded, and becoming more complex. Attackers are getting more skilled and resourceful and range from small groups to nation-sponsored threat elements.
He emphasized the importance of the playbook as a way to augment the human experience and the ability to respond, as part of any security solution.
Other topics in the book include tactics and techniques most likely to signal an active threat, early warning signs of an attack, types of threats, malware artefacts, and prevalent groups that have been spotted.