"Attacker Dwell Time Surges 36% in 2021"

Security researchers at Sophos have found that threat actors spent a median of 15 days inside victim networks last year, an increase of over a third from the previous year.  The researchers stated that the increase in dwell time is down mainly to the exploitation of ProxyLogon and ProxyShell vulnerabilities last year and the emergence of initial access brokers (IABs) as an integral part of the cybercrime underground.  The researchers noted that dwell time was longer for smaller organizations, 51 days in SMEs with up to 250 employees versus 20 days in organizations with 3,000 to 5,000 employees.  The researchers stated that advanced detection and response appear to be lacking in many organizations.  Although the researchers saw a decline in the exploitation of RDP for initial access, from 32% in 2020 to 13% last year, its use in lateral movement increased from 69% to 82% over the period.  Other commonly detected tools and techniques were: PowerShell and malicious non-PowerShell scripts, combined in 64% of cases, PowerShell and Cobalt Strike (56%), and PowerShell and PsExec (51%).  The researchers stated that detecting the presence of such correlations could help firms spot the early warning signs of a breach.

Infosecurity reports: "Attacker Dwell Time Surges 36% in 2021"