The Active Adversary Landscape In 2022

A silhouette of a hacker with a black hat in a suit enters a hallway with walls textured with random letters 3D illustration backdoor concept

The adversaries lurking in your network are no longer just lone hackers in dark basements — today’s cybercriminals are seasoned professionals with access to significant resources and support from wider criminal networks. As cybercrime matures into a commercialized industry, enterprises are struggling to keep pace with the increasingly sophisticated threats to their network security.

Scott Barlow, global VP of MSP and cloud alliances, Sophos
Author: Scott Barlow, global VP of MSP and cloud alliances, Sophos

To better understand today’s cyberthreat landscape, Sophos’ Managed Threat Response (MTR) team analyzed 144 security incidents across various industries in 17 countries. The 2022 Active Adversary Playbook reveals the main adversaries, attack behaviors and tools seen in 2021 and continuing well into 2022. Bad actors aren’t showing signs of slowing down anytime soon, so it’s critical for managed service providers (MSPs) to stay versed in these trends so they can more effectively protect customers.

Level Up Security Operations With These 5 Insights In Mind

After analyzing cybersecurity incidents across the manufacturing, retail, healthcare, IT, construction, and education industries, our frontline threat detection and incident response team gleaned valuable insights to help MSPs and security teams mitigate future threats. Let’s take a closer look.

1. Dwell times are on the rise. In a perfect world, the average intruder dwell time would be just seconds long, limiting the opportunity for adversaries to carry out an attack. In reality, it often takes up to weeks for an organization to identify an attacker in its environment. The median average dwell time rose to 15 days in 2021, up from 11 days in 2020. And dwell times were even higher for small businesses and educational institutions (21 days and 34 days, respectively). This points to the fact that these organizations may not have adequate internal resources to proactively hunt for and respond to potential threats in real time.

2. Initial access brokers (IABs) are increasingly involved in attacks. The rise in dwell time also suggests that IABs may be involved in more attacks than the previous year. An IAB gains unauthorized access to an organization's environment and sells the access to a cybercrime group to use in its attack. This insight is also in line with the increased number of instances our team identified involving multiple bad actors in a network at the same time — a trend that will continue to shape the cyberthreat landscape moving forward.

3. Ransomware attacks remain a significant threat to security operations. Ransomware was involved in 73% of incidents in 2021, reigning supreme as the most prevalent type of attack in both 2020 and 2021. The rise of ransomware as a service (RaaS) — another example of the professionalization of cybercrime — contributes significantly to the frequency of these attacks. We identified 41 different ransomware adversaries across the 144 investigated incidents, with 28 new ransomware groups entering the scene in 2021. Meanwhile, 18 ransomware groups we identified in 2020 disappeared, which demonstrates how crowded and complex the cyberthreat landscape is — and how quickly it evolves. The fast pace of change makes ransomware attacks even more difficult to defend against because of the ever-changing adversaries an organization must watch out for and keep track of.

4. Bad actors’ toolsets are expanding. As cybercriminals have become more professionalized, their tools and tactics have become more sophisticated — and more numerous Attackers used more than 525 different artifacts in 2021, which can be categorized into three types: legitimate and hacking tools, Microsoft binaries and additional artifacts such as scripts and services. We also saw a rise in the number of attacks in which the adversary used a combination of tools. For example, PowerShell, PsExec and Cobalt Strike occurred in 33% of cases in 2021 — up from 12% in 2020.

5. Web shell vulnerabilities pose a risk. ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange servers have presented opportunities for adversary exploits since 2021. There are likely many more exploits using web shells and back doors that have yet to be discovered, so MSPs and security professionals must have an incident response plan prepared.

If 2021 taught us anything, it’s that adversaries will jump at any chance they have to exploit widespread vulnerabilities. And the truth is, you are never impervious to a cybercriminal’s attack. So, as ransomware gangs and cryptominers hone their tools and tactics, you must have the knowledge and security tools to protect your customers.

Download the 2022 Adversary Attack Report for more insights about the cyberthreat landscape and what to expect from today’s adversaries.

Scott Barlow is VP, global MSP & cloud alliances at Sophos. Read more Sophos guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.