Active adversaries are now a major threat for organizations of all sizes. These highly skilled cybercriminals continue to develop and evolve their techniques in response to superior defenses, executing attacks at scale and employing sophisticated techniques specifically designed to avoid triggering preventative security solutions.
We are excited to announce the addition of new capabilities to Sophos Firewall, Sophos XDR, and Sophos NDR solutions to further enable organizations to defend against these active adversaries.
What are Active Adversaries and How Do They Operate?
Active adversaries are highly skilled cybercriminals, often equipped with sophisticated software and networking skills, who gain entry into an organization’s systems, evade detection and continuously adapt their techniques, using hands-on keyboard and AI-assisted methods to circumvent preventative security controls and execute their attack.
Organizations need adaptive security controls designed to detect and respond to the approaches commonly used by active adversaries:
Multi-stage attacks
Attacks that end in a different place than where they started.
Active adversaries execute attacks that cross multiple domains across the victim’s environment. The full scope of these attacks cannot be detected by a single point product. Organizations need visibility across their entire ecosystem.
Living off the land attacks
Attacks that use legitimate tools in malicious ways.
Preventative security tools are unable to block the use of legitimate IT tools without the risk of causing significant operational disruption. Attackers take advantage of this by using legitimate IT tools like RDP and PowerShell to blend into the background.
Unknown vulnerabilities
Attacks that leverage a weakness, flaw, or error in software.
Attackers exploit zero-day and unpatched vulnerabilities to execute attacks. 65% of ransomware attacks start with an attacker exploiting an unknown vulnerability or logging in using legitimate credentials.
Credential abuse
Attacks that start with an adversary logging in instead of breaking in.
Active adversaries use compromised legitimate user credentials to log in and execute their attacks. Preventative security tools are unable to block or detect until the ‘user’ demonstrates suspicious or malicious behavior.
Our new Active Adversary Report for Security Practitioners highlights key changes in adversary behavior over the last year, including:
- Attackers are speeding up. Dwell time in ransomware is rapidly decreasing, down from 9 days in 2022 to 5 days in 1H 2023.
- Adversaries frequently abuse legitimate IT tools. The LOLBins (Living-off-the-Land Binaries) and techniques being used by active adversaries do not vary substantially between fast (< 5 days dwell time) and slow (> 5 days dwell time) attacks.
- Active adversaries will innovate when they must, and only to the extent that it gets them to their target.
The report highlights the need for organizations to understand how active adversaries behave and to have visibility across their security ecosystem to detect quickly and respond even faster.
What’s New?
We’re adding new capabilities to the Sophos platform across Sophos XDR, Sophos Firewall, and Sophos NDR that give organizations even greater power to defend against active adversaries:
Sophos Firewall – now with Active Threat Response
Now Available!
The new Active Threat Response feature in Sophos Firewall V20 provides instant and automated response to active adversaries. Sophos XDR and MDR analysts can push threat intel to firewalls directly from Sophos Central, enabling the firewalls to coordinate defenses immediately without the need for manual intervention or new firewall rules.
Sophos NDR – now available for XDR
GA November 20, 2023
Sophos Network Detection and Response (NDR) detects active adversaries moving across an organization’s network between devices. Previously available only as an add-on to Sophos MDR, Sophos NDR is now available as an add-on to Sophos XDR, for organizations who manage their own detection and response activities.
Sophos XDR – now with expanded third-party compatibility and optimized UX
GA November 20, 2023
We’re significantly expanding the range of third-party tools and products that customers can integrate with Sophos XDR, across endpoint, firewall, cloud, identity, network, email, and productivity categories. Sophos XDR consolidates security data and provides a single console for customers to work from, with optimized workflows that reduce their investigation workload.
Point Products –VS– Connected Products and Services That Work Together
Attackers continuously adapt their techniques, resulting in the introduction of new point products to defend against these new approaches. Disparate tools, however, typically do not communicate well together. Sophos provides a unified platform that incorporates a broad portfolio of cyber security products and services that has been engineered to work together seamlessly. Plus, compatible with third-party technologies, Sophos’ connected ecosystem provides automated actions and correlated data, allowing organizations to detect, investigate, and respond to active adversaries faster, across all key attack surfaces.
Elevate your Customers’ Defenses Against Active Adversaries
To learn more and explore how Sophos solutions can help your customers to better defend themselves against active adversaries, check out the updated product collateral for Sophos XDR, Sophos NDR and Sophos Firewall on the Sophos Partner Portal.