Report: Cybercriminals Disable Logs in 82% of Attacks

Emma Okonji

Sophos, a global leader in innovating and delivering cybersecurity as a service, has released its Active Adversary Report for Security Practitioners, which found that telemetry logs were missing in nearly 42 per cent of the attack cases studied.

According to the report, in 82 per cent of the cases, cybercriminals disabled or wiped out the telemetry to hide their tracks. The report covers Incident Response (IR) cases that Sophos analysed from January 2022 through the first half of 2023.

Gaps in telemetry decrease much-needed visibility into organizations’ networks and systems, especially since attacker dwell time, which is the time from initial access to detection continues to decline, thus shortening the time defenders have to effectively respond to an incident.

Analysing the report, Field CTO at Sophos, John Shier, said: “Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain an attacker makes it, the bigger the headache for responders. Missing telemetry only adds time to remediations that most organizations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organisations don’t have the data they need.”

In the report, Sophos classifies ransomware attacks with a dwell time of less than or equal to five days as ‘fast attacks’, which accounted for 38 per cent of the cases studied, while ‘Slow’ ransomware attacks are those with a dwell time greater than five days, which accounted for 62 per cent of the cases.

When examining these ‘fast’ and ‘slow’ ransomware attacks at a granular level, there was not much variation in the tools, techniques, and living-off-the-land binaries (LOLBins) that attackers deployed, suggesting defenders don’t need to reinvent their defensive strategies as dwell time shrinks. However, defenders do need to be aware that fast attacks and the lack of telemetry can hinder fast response times, leading to more destruction, the report further said.

Related Articles