Telemetry logs, which hold collection, transmission, and measurement of data, were found missing in 42 per cent of analysed cyberattacks, according to Sophos' Active Adversary Report. Titled 'The Active Adversary Report for Security Practitioners', the report delves into incident response (IR) cases scrutinised by global cybersecurity firm Sophos. The report provides insights based on 232 Sophos IR cases across 25 sectors from January 2022 till June 30, 2023.
Delving into cases of attacks, the report also found that in 82 per cent of these instances, cybercriminals deliberately disabled or eradicated telemetry to conceal their actions. The targeted organisations spanned 34 countries across six continents, with 83 per cent of cases originating from organisations with fewer than 1,000 employees.
Relevance of telemetry logs in cyberattacks
According to Sophos, "The telemetry you collect gives you insights that you can use to effectively administer and manage your IT infrastructure." Therefore, the absence of telemetry poses a significant challenge, diminishing visibility into organisational networks and systems, especially as the time from initial access to detection—known as attacker dwell time—continues to decrease. This reduction in response time intensifies the urgency for defenders to effectively counter incidents.
John Shier, field CTO at Sophos, emphasised the critical importance of time in responding to active threats on time. He stated, "Missing telemetry only adds time to remediations that most organisations can't afford. This is why complete and accurate logging is essential, but we're seeing that, all too frequently, organisations don't have the data they need."
Also Read
Ransomware attacks
Sophos' latest report also found that the "dwell time" for ransomware attacks also fell 44 per cent year-on-year a 72 per cent all-time drop. This indicates that attackers are aware of improvements in defenders' ability to detect ransomware attacks. This also shows that attackers have a "well-developed playbook" and many may be well-practiced in carrying out these attacks.
The report categorised ransomware attacks with a dwell time of five days or less as "fast attacks," constituting 38 per cent of the cases studied. In contrast, "slow" ransomware attacks, with a dwell time exceeding five days, accounted for 62 per cent of the cases.
Examining these fast and slow ransomware attacks, Sophos noted minimal variation in the tools, techniques, and living-off-the-land binaries (LOLBins) employed by attackers. While this suggests that defenders do not need to overhaul their defensive strategies as dwell time shortens, the lack of telemetry can impede swift response times, leading to increased damage.
Defending against cyberattacks
Shier offered reassurance to organisations, stating, "The same defenses that detect fast attacks will apply to all attacks, regardless of speed. The key is increasing friction whenever possible—if you make the attackers' job harder, then you can add valuable time to respond, stretching out each stage of an attack."
Sophos also recommended actionable intelligence for security practitioners to shape their defensive strategies effectively. Organisations must protect everything and also be ready to investigate promptly with a response plan on hand.