Even as the cyber threat landscape is becoming more complex and dangerous, there seems to be an increase in the awareness levels on the importance of guarding one’s digital properties and networks. This sounds very good and encouraging. But bad news is that the hackers are able to reach the Active Directory (AD), one of the critical assets for a company, in less than a day.
AD typically manages identity and access to resources across an organisation, meaning attackers can use AD to easily escalate their privileges on a system to simply log in and carry out a wide range of malicious activity.
According to the latest report by cybersecurity company Sophos, the average dwell time (the time an intruder lurks around in a computer network or a device undetected) has come down to eight days from 10 days in the first half of 2023.
With regard to ransomware attacks, the dwell time comes down to five days. In 2022, the median dwell time decreased from 15 to 10 days.
The Active Adversary Report for Tech Leaders 2023, which provides an in-depth look at attacker behaviours and tools during the first half of 2023, analysed Sophos’ Incident Response (IR) cases from January to July 2023.
“It took on average less than a day—approximately 16 hours—for attackers to reach Active Directory (AD),” he said.
“Attacking an organisation’s Active Directory infrastructure makes sense from an offensive view. AD is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources, and data that attackers can exploit in their attacks,” John Shier, field CTO, Sophos, said.
“When an attacker controls AD, they can control the organisation. The impact, escalation, and recovery overhead of an Active Directory attack is why it’s targeted,” he said.
“Getting to and gaining control of the Active Directory server in the attack chain provides adversaries several advantages. They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim’s network unimpeded,” he said.
Full recovery from a domain compromise can be a lengthy and arduous effort. Such an attack damages the foundation of security upon which an organization’s infrastructure relies. Very often, a successful AD attack means a security team has to start from scratch.