Hackers seem to have spent more time on compromised devices last year than the previous year, showing a growth of over 36 per cent. The average ‘dwell time’ has gone up to 15 days in 2021 as against 11 days in the previous year, according to a report released by cyber security solutions firm Sophos.

Dwell time is the time an attacker stays in a compromised computer. The report suggests that intruder ‘dwell time’ was longer in smaller organisations’ environments.

“Attackers lingered for about 51 days in organisations with up to 250 employees, while they typically spent 20 days in organisations with 3,000 to 5,000 employees,” the report said.

The report, Active Adversary Playbook 2022, captured attacker behaviors last year. It said ProxyShell vulnerabilities in Microsoft Exchange were leveraged to breach networks and sell that access to other attackers. The report was based on 144 incidents in 2021, targeting organisations of all sizes in different parts f the world.

Hackers know well that bigger organisations are more valuable. “So they are more motivated to get in, get what they want and get out. Smaller organisations have less perceived ‘value,’ so attackers can afford to lurk around the network in the background for a longer period,” the report said.

Diverse attacks

John Shier, senior security advisor at Sophos, said that the world of cybercrime has become incredibly diverse and specialised. “Hackers have developed a cottage cybercrime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turn-key access to ransomware gangs for their own attacks,” he said.

“It can be hard for organisations to keep up with the ever-changing tools and approaches attackers use. It is vital that defenders understand what to look for at every stage of the attack chain in order to help them detect and neutralise attacks as fast as possible,” he said.

Stealth operations

The median attacker dwells time before detection was longer for ‘stealth’ intrusions that had not unfolded into a major attack such as ransomware.