Subscribe

0

News Reports

Sophos Releases 2025 Active Adversary Report

Sophos has published its 2025 Active Adversary Report, analysing attacks, Primary access methods and root causes. The report highlighted the reliance on external remote services and valid accounts as primary methods of initial network access.

author-image
DQC Bureau
New Update
Sophos Releases 2025 Active Adversary Report

Sophos Releases 2025 Active Adversary Report

Sophos has published its 2025 Active Adversary Report, analysing attacker behaviour and techniques observed across more than 400 Managed Detection and Response (MDR) and Incident Response (IR) cases in 2024. The findings highlight continued reliance on external remote services and valid accounts as primary methods of initial network access.

Advertisment

Primary Access Methods and Root Causes

In 56% of the analysed incidents, attackers gained entry by exploiting external remote services, including edge devices such as firewalls and VPNs. In many of these cases, attackers used valid credentials, allowing them to bypass standard authentication mechanisms.

This trend is reflected in the root causes of attacks:

Advertisment

  • Compromised credentials were the leading cause for the second consecutive year, responsible for 41% of incidents.

  • Exploited vulnerabilities accounted for 21.79% of cases.

  • Brute force attacks made up 21.07% of incidents.

Attack Timelines: Speed of Ransomware and Data Theft

Sophos X-Ops analysed attack timelines in ransomware, data exfiltration, and extortion cases to assess how quickly adversaries move through their attack chain.

Advertisment

  • The median time from initial access to data exfiltration was 72.98 hours (3.04 days).

  • The median time from exfiltration to detection was just 2.7 hours, indicating limited time for response after data is compromised.

The report provides insights into how attackers leverage remote access services and valid credentials to accelerate their operations, emphasizing the need for organizations to enhance identity management, patch external-facing systems, and improve detection capabilities for lateral movement and exfiltration activities.

“Passive security is no longer enough. While prevention is essential, rapid response is critical. Organisations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense. For many organizations, that means combining business-specific knowledge with expert-led detection and response. Our report confirms that organisations with proactive monitoring detect attacks faster and experience better outcomes,” said John Shier, field CISO. 

Advertisment

Sophos 2025 Active Adversary Report: Key Insights on Attack Timelines, Ransomware Trends, and Defense Recommendations

Sophos has released additional findings from its 2025 Active Adversary Report, offering a detailed analysis of adversary behaviours and trends based on over 400 Managed Detection and Response (MDR) and Incident Response (IR) investigations conducted in 2024.

Key Observations from the Report

Advertisment

  • Rapid Escalation to Critical Assets:
    The median time between initial attacker activity and an attempt to compromise the Active Directory (AD) was 11 hours. Successful AD breaches provide attackers with broad access across an organization's network.

  • Most Active Ransomware Groups:
    Akira emerged as the most frequently observed ransomware group in 2024, followed by Fog and LockBit. The presence of LockBit remained significant despite international law enforcement actions targeting the group earlier in the year.

  • Overall Dwell Time Decreases:
    The median dwell time—the period between the start of an attack and its detection—declined from 4 days in 2023 to 2 days in 2024, driven largely by the inclusion of MDR case data.

  • Dwell Time by Case Type:

    • Incident Response (IR):

      • Ransomware cases: 4 days

      • Non-ransomware cases: 11.5 days

    • Managed Detection and Response (MDR):

      • Ransomware cases: 3 days

      • Non-ransomware cases: 1 day
        The reduced dwell times in MDR cases suggest improved detection and faster response by MDR teams.

  • Timing of Ransomware Deployment:
    In 2024, 83% of ransomware binaries were deployed outside of normal business hours, highlighting attackers’ preference for operating during periods of reduced oversight.

  • Abuse of Remote Desktop Protocol (RDP):
    RDP was involved in 84% of all MDR and IR cases, making it the most commonly misused Microsoft tool by threat actors.

Recommendations for Strengthening Cybersecurity Posture

Sophos recommends that organisations take the following measures to mitigate risk:

Advertisment

  • Close exposed RDP ports to reduce unauthorised remote access.

  • Implement phishing-resistant multifactor authentication (MFA).

  • Patched internet-facing systems and services promptly, focusing on known vulnerabilities.

  • Deploy Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) solutions with 24/7 proactive monitoring.

  • Develop and regularly test a comprehensive incident response plan using simulation or tabletop exercises.

The findings emphasise the need for swift detection, layered defences, and consistent cybersecurity hygiene to counter increasingly agile and persistent threat actors.

 

Advertisment

Read More:

Technical Enablement of Partners in Cybersecurity

Channel Partners Speak on Trump's 26% Tariff on Indian Products

Upcoming Cybersecurity Innovations for IT B2B in 2025

How Agentic AI is Revolutionizing Modern Businesses?

 

sophos