The median attacker dwell time before detection is 11 days or 256 hours, according to data from Sophos. That’s time in which invaders are free to conduct malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more.

The company has released an ‘Active Adversary Playbook’ detailing attacker behaviors and the tools, techniques and procedures (TTPs) that frontline threat hunters and incident responders saw in the wild.

Another findings says 90 percent of attacks seen involve the use of the Remote Desktop Protocol (RDP) and in 69 percent of all cases, attackers used RDP for internal lateral movement. While security measures for RDP, such a VPNs and multi-factor authentication tend to focus on protecting external access these don’t work if the attacker is already inside the network.

Ransomware was involved in 81 percent of the attacks Sophos investigated. The release of ransomware is often the point at which an attack becomes visible to an IT security team.

The threat landscape is becoming more crowded and complex, with attacks launched by adversaries with a wide range of skills and resources, from script kiddies to nation-state backed threat groups. This can make life challenging for defenders,

Over the last year,incident responders helped to neutralize attacks launched by more than 37 attack groups, using more than 400 different tools between them. Many of these tools are also used by IT administrators and security professionals for their everyday tasks and spotting the difference between benign and malicious activity isn’t always easy