Sophos has conducted a study on incident response cases, analyzing the tactics used by cybercriminals. This study reveals concerning findings regarding the absence of telemetry logs, which are often disabled or wiped out by attackers to conceal their activities.


According to Sophos, telemetry logs were missing in almost 42% of the attack cases studied [1]. This is alarming because cybercriminals have been observed disabling or wiping out logs in 82% of the analyzed incident response cases. The study examined 232 incident response cases across 25 sectors from January 2022 to June 2023 [3], providing valuable insights into the strategies employed by active adversaries.

The report classifies ransomware attacks based on dwell time [2], with 38% categorized as “fast attacks” lasting five days or less [2], and the remaining 62% as “slow” attacks with a dwell time exceeding five days [2]. Notably, dwell times have decreased by 44% year on year. The analysis reveals that attackers employ similar tools and techniques in both fast and slow attacks, indicating a consistent approach.

While defenders may not need to completely overhaul their defensive strategies as dwell time decreases [2], they must recognize the potential impact of swift attacks and the absence of logging on response times [2]. The report emphasizes the crucial role of complete and accurate logging in enabling effective remediation [3].


The findings of this study highlight the significance of addressing the issue of missing telemetry logs in incident response cases. Cybercriminals’ actions to disable or wipe out logs pose a serious challenge for defenders. As dwell times decrease [2], defenders must be prepared for swift attacks and understand the implications of limited logging. It is imperative to prioritize the implementation of comprehensive and accurate logging practices to enhance response capabilities and mitigate the impact of cyberattacks in the future.