According to the report, Sophos XDR detected 100% of the adversary behaviours in attack scenarios targeting Windows and Linux platforms, mimicking malware strains from ruthless ransomware-as-a-service gangs LockBit and CL0P.

Further, all of Sophos’ responses to these ransomware attack scenarios were marked “technique” – the highest possible rating that denotes who, what, when, where, why and how attacks were carried out.

Sophos XDR achieved:

• ‘Analytic coverage’ ratings for 99% of sub-steps (79 out of 80) across three comprehensive attack scenarios
• Highest possible (‘Technique’) ratings for 98% of sub-steps (78 out of 80)
• Highest possible (‘Technique’) ratings for 100% of sub-steps in the Windows and Linux ransomware attack scenarios

“Attackers are relentless to innovate techniques to bypass trusted security defenses. This assessment from MITRE helps security buyers evaluate the effectiveness against today’s threats,” said Simon Reed, chief research and scientific officer at Sophos. “Sophos is committed to transparency and conducting third party measurement to help security buyers make informed decisions to strengthen their security posture. We’re proud of Sophos XDR’s ongoing excellence both in industry testing and real-world frontline defenses. We’re consistently evolving our solutions, just like attackers are constantly evolving their tactics, so our customers can stop known and unknown threats before they escalate into destructive attacks.”

MITRE ATT&CK Evaluations are among the world’s most respected independent security tests. This round of MITRE ATT&CK Evaluations: Enterprise evaluated the abilities of 19 vendors in detecting and analyzing attack tactics, techniques, and procedures (TTPs) leveraged by real-world adversarial groups.

In this cycle, MITRE also expanded ATT&CK Evaluations to include macOS attacks emulating tactics from the Democratic People’s Republic of Korea – where 19 out of 21 Sophos XDR detections were also categorized as “technique” – the highest possible rating.

Sophos XDR combines active adversary mitigations – including industry-first Adaptive Attack Protection that immediately activates heightened defenses when a hands-on-keyboard attack is detected, stopping the attack and providing defenders valuable additional time to respond; anti-ransomware technology; deep learning artificial intelligence; and exploit prevention to prevent and stop attacks.

It is powered by Sophos X-Ops threat intelligence, a cross-operational task force of more than 500 security experts within SophosLabs, Sophos SecOps, and SophosAI.

[Disclaimer: MITRE does not rank or rate participants]

Sophos Endpoint defends more than 300,000 organizations worldwide against advanced attacks with anti-ransomware, anti-exploitation, behavioural analysis, and other technologies that stop threats before they escalate.

In the report, IDC applauds Sophos Endpoint for including “a more expansive set of protection technologies (host-based firewall and IDS/IPS, device control, DLP, and encryption) as standard features in its endpoint security offering.”

In addition, “in the discipline of systematically strengthening customers’ security posture, Sophos has a strong set of features in customer security advisory recently enhanced with an account health-checking feature (detecting and remediating security configuration drift).”

The report also praises Sophos for adding “several new capabilities: adaptive attack protection, critical attack warning and data protection and recovery” to further mitigate risks.

With an extensive and expanding range of integrated capabilities spanning protection, detection, response, and recovery, Sophos Endpoint seamlessly integrates with other vendors’ and Sophos products including Sophos Managed Detection and Response (MDR), the most widely used MDR offering.

Sophos Endpoint is also the foundation for Sophos Extended Detection and Response (XDR) and Sophos Endpoint Detection and Response capabilities (EDR).

“We’ve strategically engineered our products and services to work together and with third-party systems to create comprehensive, preventive and highly actionable defenses,” said Rob Harrison, senior vice president of product management at Sophos. “We’re also committed to innovation, which is critical for consistent protection against aggressive and determined cybercriminals. Sophos Endpoint protections, specifically Sophos Intercept X, continue to be recognized as industry-leading, which reflects our innovative approach to developing defenses against the latest and anticipated attacker tactics, techniques and procedures, including the recent increase in the deliberate use of remote ransomware to evade detection.”

“Adaptive attack protection, introduced in early 2023, is a demonstration of Sophos’ means to disrupt hands-on-keyboard attackers while minimizing potential disruption to legitimate operations. Tuned to detect attackers pivoting to more aggressive tactics, protection sensitivity is automatically elevated to prevent damage. Once the malicious activity is no longer present, normal protections are automatically reestablished. Sophos critical attack warning alerts security personnel when immediate attack responses are necessary. Responses, estate wide if warranted, can be orchestrated through Sophos MDR, incident response (IR) or XDR. The prevalence of ransomware attacks compels organizations to be prepared to recover,” said the IDC report.

“With their professional and managed security services, expanded product set, and ability to integrate with existing security investments, it’s clear that Sophos understands the needs and challenges of a midsize business,” said Michael Suby, research vice president, Security & Trust, IDC. “Sophos’s comprehensive approach from prevention through recovery places Sophos on the shortlist of midsize businesses looking for an established and effective partner for security.”

Managed in the cloud-native Sophos Central platform, Sophos’ portfolio solutions are part of the Sophos Adaptive Cybersecurity Ecosystem, where security data is collected, correlated and enriched with additional context to enable automatic and synchronized responses to active threats.

This platform is further optimized by Sophos X-Ops threat intelligence, a cross-operational task force of more than 500 security experts within SophosLabs, Sophos SecOps and SophosAI.

The report details how the cyberthreat landscape has reached a new level of commercialization and convenience for would-be attackers, with nearly all barriers to entry for committing cybercrime removed through the expansion of cybercrime-as-a-service.

The report also addresses how ransomware remains one of the greatest cybercrime threats to organizations with operators innovating their extortion tactics, as well as how demand for stolen credentials continues to grow.

Criminal underground marketplaces like Genesis have long made it possible to buy malware and malware deployment services (“malware-as-a-service”), as well as to sell stolen credentials and other data in bulk. Over the last decade, with the increasing popularity of ransomware, an entire “ransomware-as-a-service” economy sprung up. Now, in 2022, this “as-a-service” model has expanded, and nearly every aspect of the cybercrime toolkit—from initial infection to ways to avoid detection—is available for purchase.

“This isn’t just the usual fare, such as malware, scamming and phishing kits for sale,” said Sean Gallagher, principal threat researcher, Sophos. “Higher rung cybercriminals are now selling tools and capabilities that once were solely in the hands of some of the most sophisticated attackers as services to other actors. For example, this past year, we saw advertisements for OPSEC-as-a-service where the sellers offered to help attackers hide Cobalt Strike infections, and we saw scanning-a-service, which gives buyers access to legitimate commercial tools like Metasploit, so that they can find and then exploit vulnerabilities. The commoditization of nearly every component of cybercrime is impacting the threat landscape and opening up opportunities for any type of attacker with any type of skill level.”

With the expansion of the “as-a-service” economy, underground cybercriminal marketplaces are also becoming increasingly commodified and are operating like mainstream businesses. Cybercrime sellers are not just advertising their services but are also listing job offers to recruit attackers with distinct skills. Some marketplaces now have dedicated help-wanted pages and recruiting staff, while job seekers are posting summaries of their skills and qualifications.

“Early ransomware operators were rather limited in how much they could do because their operations were centralized; group members were carrying out every aspect of an attack. But as ransomware became hugely profitable, they looked for ways to scale their productions. So, they began outsourcing parts of their operations, creating an entire infrastructure to support ransomware. Now, other cybercriminals have taken a cue from the success of this infrastructure and are following suit,” said Gallagher.

Indeed, as the cybercrime infrastructure has expanded, ransomware has remained highly popular—and highly profitable. Over the past year, ransomware operators have worked on expanding their potential attack service by targeting platforms other than Windows while also adopting new languages like Rust and Go to avoid detection. Some groups, most notably Lockbit 3.0, have been diversifying their operations and creating more “innovative” ways to extort victims.

“When we talk about the growing sophistication of the criminal underground, this extends to the world of ransomware. For example, Lockbit 3.0 is now offering bug bounty programs for its malware and ‘crowd-sourcing’ ideas to improve its operations from the criminal community. Other groups have moved to a ‘subscription model’ for access to their leak data and others are auctioning it off. Ransomware has become, first and foremost, a business,” said Gallagher.

The evolving economics of the underground has not only incentivized the growth of ransomware and the “as-a-service” industry, but also increased the demand for credential theft. With the expansion of web services, various types of credentials, especially cookies, can be used in numerous ways to gain a deeper foothold in networks, even bypassing MFA. Credential theft also remains one of the easiest ways for novice criminals to gain access to underground marketplaces and begin their “career.”

Sophos also analyzed the following trends:

• The war in Ukraine had global repercussions for the cyberthreat landscape. Immediately following the invasion, there was an explosion of financially motivated scams, while nationalism led to a shake-up of criminal alliances between Ukrainians and Russians, particularly among ransomware affiliates.

• Criminals continue to exploit legitimate executables and utilize “living off the land binaries” (LOLBins) to launch various types of attacks, including ransomware. In some cases, attackers deploy legitimate but vulnerable system drivers in “bring your own driver”attacks to attempt to shut down endpoint detection and response products to evade detection.

• Mobile devices are now at the center of new types of cybercrimes. Not only are attackers still using fake applications to deliver malware injectors, spyware and banking-associated malware, but newer forms of cyberfraud have been growing in popularity, such as “pig butchering”schemes. And this crime is no longer just affecting Android users, but iOS users as well.

• The devaluation of Monero, one of the most popular cryptocurrencies for cryptominers, led to a decrease in one of the oldest and most popular types of cryptocrime—cryptomining. But mining malware continues to spread through automated “bots” on both Windows and Linux systems.

To learn more about the changing threat landscape in 2022 and what it means for security teams in 2023, read the full Sophos 2023 Threat Report.

The Sophos 2023 Threat Report consists of research and insights from Sophos X-Ops, a new, cross-operational unit that links three established teams of cybersecurity experts at Sophos (SophosLabs, Sophos SecOps, and Sophos AI).

Sophos X-Ops includes more than 500 cybersecurity experts worldwide uniquely equipped to offer a complete, multi-disciplinary picture of an increasingly complex threat landscape.

To learn more about daily cyberattacks and TTPs, follow Sophos X-Ops on Twitter and subscribe to receive current threat research and security operations articles and reports from the frontlines of cybersecurity.  

Sophos X-Ops leverages the predictive, real-time, real-world, and deeply researched threat intelligence from each group, which, in turn, collaborate to deliver stronger, more innovative protection, detection and response capabilities.

Sophos today is also issuing “OODA: Sophos X-Ops Takes on Burgeoning SQL Server Attacks,” research about increased attacks against unpatched Microsoft SQL servers and how attackers used a fake downloading site and grey-market remote access tools to distribute multiple ransomware families.

Sophos X-Ops identified and thwarted the attacks because the Sophos X-Ops teams combined their respective knowledge of the incidents, jointly analyzed them, and took action to quickly contain and neutralize the adversaries.

“Modern cybersecurity is becoming a highly interactive team sport, and as the industry has matured, necessary analysis, engineering and investigative specializations have emerged. Scalable end-to-end operations now need to include software developers, automation engineers, malware analysts, reverse engineers, cloud infrastructure engineers, incident responders, data engineers and scientists, and numerous other experts, and they need an organizational structure that avoids silos,” said Joe Levy, chief technology and product officer, Sophos.

Levy, continuing, said: “We’ve unified three globally recognized and mature teams within Sophos to provide this breadth of critical, subject matter and process expertise. Joined together as Sophos X-Ops, they can leverage the strengths of each other, including analysis of worldwide telemetry from more than 500,000 customers, industry-leading threat hunting, response and remediation capabilities, and rigorous artificial intelligence to measurably improve threat detection and response. Attackers are often too organized and too advanced to combat without the unique combined expertise and operational efficiency of a joint task force like Sophos X-Ops.”

Speaking in March 2022 to the Detroit Economic Club about the FBI partnering with the private sector to counter the cyber threat, FBI Director Christopher Wray said, “What partnership lets us do is hit our adversaries at every point, from the victims’ networks back all the way to the hackers’ own computers, because when it comes to the FBI’s cyber strategy, we know trying to stand in the goal and block shots isn’t going to get the job done.

“We’re disrupting three things: the threat actors, their infrastructure and their money. And we have the most durable impact when we work with all of our partners to disrupt all three together.” Sophos X-Ops is taking a similar approach: gathering and operating on threat intelligence from its own multidisciplinary groups to help stop attackers earlier, preventing or minimizing the harms of ransomware, espionage or other cybercrimes that can befall organizations of all types and sizes, and working with law enforcement to neutralize attacker infrastructure. While Sophos’ internal teams already share information as a matter of course, the formal creation of Sophos X-Ops drives forward a faster, more streamlined process necessary to counter equally fast-moving adversaries.

“Effective cybersecurity requires robust collaboration at all levels, both internally and externally; it is the only way to discover, analyze and counter malicious cyber actors at speed at scale. Combining these separate teams into Sophos X-Ops shows that Sophos understands this principle and is acting on it,” said Michael Daniel, president and CEO, Cyber Threat Alliance.

Sophos X-Ops also provides a stronger cross-operational foundation for innovation, an essential component of cybersecurity due to the aggressive advancements in organized cybercrime. By intertwining the expertise of each group, Sophos is pioneering the concept of an artificial intelligence (AI) assisted Security Operations Center (SOC), which anticipates the intentions of security analysts and provides relevant defensive actions. 

In the SOC of the future, Sophos believes this approach will dramatically accelerate security workflows and the ability to more quickly detect and respond to novel and priority indicators of compromise.

“The adversary community has figured out how to work together to commoditize certain parts of attacks while simultaneously creating new ways to evade detection and taking advantage of weaknesses in any software to mass exploit it. The Sophos X-Ops umbrella is a noted example of stealing a page from the cyber miscreants’ tactics by allowing cross-collaboration amongst different internal threat intelligence groups,” said Craig Robinson, IDC research vice president, Security Services. “Combining the ability to cut across a wide breadth of threat intelligence expertise with AI assisted features in the SOC allows organizations to better predict and prepare for imminent and future attacks.”