Sophos, a global leader in Cybersecurity-as-a-Service, has released its Active Adversary Report for Security Practitioners, which found that telemetry logs were missing in nearly 42% of the attack cases studied.
In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks. The report covers Incident Response (IR) cases that Sophos analyzed from January 2022 through the first half of 2023.
Gaps in telemetry decrease much-needed visibility into organisations’ networks and systems, especially since attacker dwell time (the time from initial access to detection) continues to decline, shortening the time defenders have to effectively respond to an incident.
“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain an attacker makes it, the bigger the headache for responders. Missing telemetry only adds time to remediations that most organisations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organisations don’t have the data they need,” said John Shier, Field CTO, Sophos.
In the report, Sophos classifies ransomware attacks with a dwell time of less than or equal to five days as ‘fast attacks’, which accounted for 38% of the cases studied. ‘Slow’ ransomware attacks are those with a dwell time greater than five days, which accounted for 62% of the cases.
Click below to share this article
