Cybercriminals disabled or wiped out logs in 82 percent of attacks with missing telemetry between January 1, 2022, to June 30, 2023, a new report said on Thursday.
Telemetry automatically gathers, transmits, and measures data from remote sources, using sensors and other devices to collect data.
As explained by the cybersecurity firm Sophos, gaps in telemetry decrease much-needed visibility into an organization’s networks and systems, especially since attacker dwell time (the time from initial access to detection) continues to decline, shortening the time defenders have to effectively respond to an incident.
In the report, the researchers classified ransomware attacks with a dwell time of less than or equal to five days as “fast attacks,” which accounted for 38 percent of the cases studied.
“Slow” ransomware attacks are those with a dwell time greater than five days, which accounted for 62 percent of the cases.
“Missing telemetry only adds time to remediations that most organizations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organizations don’t have the data they need,” said John Shier, field CTO, of Sophos.
According to the researchers, when examining these “fast” and “slow” ransomware attacks at a granular level, there was not much variation in the tools, techniques, and living-off-the-land binaries (LOLBins) that attackers deployed, suggesting defenders don’t need to reinvent their defensive strategies as dwell time shrinks.
“Cybercriminals only innovate when they must, and only to the extent that it gets them to their target. Attackers aren’t going to change what’s working, even if they’re moving faster from access to detection,” said Shier.
The report is based on 232 Sophos Incident Response (IR) cases across 25 sectors. Targeted organizations were located in 34 different countries across six continents.
About 83 percent of cases came from organizations with fewer than 1,000 employees.
