50? 500 or 5,000? One cybersecurity firm’s incident response data showed that unpatched vulnerabilities and LOLBins were most commonly exploited

In analyzing 152 international incident response scenarios in 2022, a cybersecurity firm has identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins) being used in cyber incidents.

Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity.

In addition, the analysis showed that unpatched vulnerabilities were the most common root cause of attackers gaining initial access to targeted systems. The second most common root cause of attacks was compromised credentials.

Other findings

While ransomware still dominated the threat landscape in the period of analysis, attacker dwell time had decreased from 15 to 10 days, for all attack types. For ransomware cases, the dwell time had decreased from 11 to nine days, while the decrease was even greater for non-ransomware attacks: the dwell time for the latter had declined from 34 days in 2021 to just 11 days in 2022.

However, unlike in past years of incident analyses, there was no significant variation in dwell times between different sized organizations or sectors for the period 2022.

Another finding from the data was that 68% of the incidents investigated (68%) involved ransomware, demonstrating that ransomware was still one of the most pervasive threats.

Said John Shier, field CTO, , the firm publicising its findings: “When today’s attackers aren’t breaking in, they’re logging in. The reality is that the threat environment has grown in volume and complexity to the point where there are no discernible gaps for defenders to exploit. For most organizations, the days of going at it alone are well behind them. However, there are tools and services available to businesses that can alleviate some of the defensive burden, allowing them to focus on their core business priorities.”  

Shier recommended that organizations implement “layered defenses with constant monitoring” to put pressure on adversaries to speed up in order to complete their attacks. “The race between attackers and defenders will continue to escalate and those without proactive monitoring will suffer the greatest consequences,” Shier opined.