Amid a well-documented crash in dwell times – the period in between a threat actor accessing a victim network and executing their cyber attack – analysts at Sophos have clocked a growing number of attacks in which ransomware gangs disable or wipe out telemetry logs in an attempt to hide their tracks and obstruct the vital work of security teams.
Based on episodes that involved the Sophos incident response (IR) team from 1 January 2022 to 30 June 2023, the firm today revealed that telemetry logs were missing in more than 42% of cases, and in 82% of those cases, the attackers had either disabled or wiped logs.
This clearly obscures the visibility that defenders have into their organisations’ networks and systems, putting them even more on the back foot given the increasingly limited time they have to detect and respond to an intrusion – dwell times are thought to be down 44% year on year (YoY).
“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain an attacker makes it, the bigger the headache for responders,” said Sophos’ field chief technology officer (CTO), John Shier.
“Missing telemetry only adds time to remediations that most organisations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organisations don’t have the data they need.”
Overall, the research – which forms part of an ongoing series of Sophos’ Active Adversary reports – found that regardless of the time from intrusion to execution seen, ransomware gangs exhibited remarkably little variance in their tactics, techniques and procedures (TTPs), which are generally well-practiced and successful, suggesting that defenders don’t need to evolve their defensive strategies radically.
However, said Sophos, ransomware gangs clearly understand quite well that detection capabilities have also improved, meaning they need to do more to escape detection – tampering with the victim’s telemetry being a relatively easy win for them.
Defenders, therefore, should be aware that in fast-moving attacks in particular (with dwell times of five days or less), a lack of telemetry can critically hinder their response.
“Cyber criminals only innovate when they must, and only to the extent that it gets them to their target. Attackers aren’t going to change what’s working, even if they’re moving faster from access to detection. This is good news for organisations because they don’t have to radically change their defensive strategy as attackers speed up their timelines. The same defences that detect fast attacks will apply to all attacks, regardless of speed. This includes complete telemetry, robust protections across everything, and ubiquitous monitoring,” said Shier.
“The key is increasing friction whenever possible – if you make the attackers’ job harder, then you can add valuable time to respond, stretching out each stage of an attack.
“For example, in the case of a ransomware attack, if you have more friction, then you can delay the time until exfiltration; exfiltration often occurs just before detection and is often the costliest part of the attack.
“We saw this happen in two incidents of Cuba ransomware. One company (Company A) had continuous monitoring in place with MDR, so we were able to spot the malicious activity and halt the attack within hours to prevent any data from being stolen.
“Another company (Company B) didn’t have this friction; they didn’t spot the attack until a few weeks after initial access and after Cuba had already successfully exfiltrated 75 gigabytes of sensitive data. They then called in our IR team, and a month later, they were still trying to get back to business as usual.”
Missing telemetry not always down to cyber criminals
All this said, Sophos also found that when defenders lack telemetry to respond to an incident, it isn’t always down to actions taken by an attacker – a quarter of the organisations it investigated simply never had appropriate logging available to begin with.
This came down to a variety of reasons, including insufficient retention, disk reimaging, or lack of proper configuration.
Shier warned that in these cases, not only did this mean there was no data available for defenders to examine, but they then had to waste valuable time working out why there was no data available in the first place.
Shier added that since Microsoft has now started to make logging freely available to basic licences, the majority of organisations really had no reason or excuse not to use it to its fullest when rolled out to the enterprise, although he acknowledged this may not be something that security teams would be in a position to make a decision on. It is therefore important that defenders advocate for themselves if the case is not being made by security leaders.
Finally, he added, like all types of data, logs should be securely backed up so that they are reachable should forensic analysis be needed. He noted: “The classic confidentiality-integrity-availability trinity is not usually top-of-mind for the practitioner crowd, but it’s worth invoking here to speak the leadership language that’ll get the necessary processes in place.”