Apparently, once they have found a way in, cyber criminals are spending up to 36% longer within corporate networks than they used to.
Rather than a quick in and out with as much data as they can carry, hackers are now ignoring the proverbial police scanner and spending a lot more time seeing what they can steal.
A report from Sophos, shows that criminals are spending a lot longer within networks once they gain access. That’s both good and bad news for security admins.
It’s good news as it gives admins longer to identify and track cyber criminals. It’s not-so good news because it gives criminals more time to fully breach security and harvest much more usable data.
According to the report, cyber criminals who hack rather than use ransomware spend up to 51 days inside networks of small businesses.
If a criminal uses ransomware, they spend on average 15 days inside the network.
The more employees a company has, the shorter the dwell time. Presumably because larger organizations have better security and surveillance.
Sophos attributes this increase to IABs, Initial Access Brokers. These are hackers who sell access to company networks for a price on the dark web.
A potential criminal rents or buys access to a given company for a given amount of time. During that time, the criminal can do what they like as long as they minimize their visibility and chances of being caught.
Using IABs means more people with fewer skills can access company networks. A criminal could potentially put more time and effort into the exploitation and data harvesting tasks rather than intrusion.
The Sophos report also mentioned the vulnerabilities in Microsoft Exchange as a serious threat to cyber security. As most companies use a version of Exchange, this could be a very pervasive threat vector and something every network needs to protect against.
Microsoft is taking these threats so seriously they have delayed the new version of Exchange by up to 4 years while teams work to fix the vulnerabilities.
While that’s scant comfort to networks already breached, it does show companies do take these threats seriously.
It also shows you cannot depend on a single vendor to provide all your security and that defense in depth really is the way forward.