Sophos, a global leader in innovative security solutions for combating cyberattacks, has released its 2025 Sophos Active Adversary Report. This comprehensive study analyzes attacker behavior and tactics from over 400 Managed Detection and Response (MDR) and Incident Response (IR) cases during 2024, revealing critical insights into the evolving landscape of cyber threats.
The report highlights a concerning trend: in 56% of all cases analyzed, attackers gained initial network access by exploiting external remote services, including edge devices such as firewalls and VPNs, through the use of valid accounts. This alarming finding underscores the increasing sophistication of cybercriminals who exploit legitimate credentials rather than relying solely on hacking techniques.
Compromised credentials emerged as the leading root cause of attacks for the second consecutive year, accounting for 41% of cases. Following this were exploited vulnerabilities at 21.79% and brute force attacks at 21.07%. The data emphasizes the urgent need for organizations to bolster their cybersecurity measures to protect against these prevalent threats.
Understanding the Speed of Attacks
The report also delves into the speed at which attackers progress through the stages of an attack. The Sophos X-Ops team specifically examined ransomware, data exfiltration, and data extortion cases, revealing that the median time from the start of an attack to data exfiltration was a mere 72.98 hours (approximately 3.04 days). Alarmingly, there was only a median of 2.7 hours from exfiltration to the detection of the attack.
"Passive security is no longer enough. While prevention is essential, rapid response is critical," stated John Shier, field Chief Information Security Officer (CISO) at Sophos. "Organizations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense. Our report confirms that organizations with proactive monitoring detect attacks faster and experience better outcomes."
Other Key Findings from the 2025 Sophos Active Adversary Report:
• Attackers Can Take Control Quickly: The median time between attackers' initial action and their first successful attempt to breach Active Directory (AD) was just 11 hours. Gaining control of AD allows attackers to maneuver more easily within the organization.
• Top Ransomware Groups: The report identified Akira as the most frequently encountered ransomware group in 2024, followed by Fog and LockBit, despite a significant multi-government takedown of LockBit earlier in the year.
• Dwell Time Reduction: Overall dwell time—the period from the start of an attack until detection—dropped from 4 days to just 2 days in 2024, primarily due to the inclusion of MDR cases in the dataset.
• Stable Dwell Times in IR Cases: Dwell time for ransomware attacks remained stable at 4 days, while non-ransomware cases experienced an 11.5-day dwell time.
• Dwell Times in MDR Cases: MDR investigations showcased a significantly reduced dwell time, averaging just 3 days for ransomware cases and only 1 day for non-ransomware cases, indicating that proactive monitoring improves detection and response times.
• Ransomware Activity Patterns: Notably, 83% of ransomware binaries were deployed outside local business hours, indicating that attackers often operate when businesses are least prepared.
• Dominance of Remote Desktop Protocol (RDP): RDP was involved in 84% of MDR/IR cases, solidifying its position as the most frequently abused Microsoft tool in cyberattacks.
Recommendations for Enhanced Security
To strengthen their defenses against these evolving threats, Sophos recommends that organizations take the following actions:
• Close Exposed RDP Ports: Ensure that RDP ports are not left open to reduce vulnerability.
• Implement Phishing-Resistant Multifactor Authentication (MFA): Utilize MFA wherever possible to enhance security against credential theft.
• Promptly Patch Vulnerable Systems: Prioritize the timely patching of internet-facing devices and services to mitigate the risk of exploitations.
• Deploy EDR or MDR Solutions: Consider implementing Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) services and ensure they are proactively monitored 24/7.
• Establish a Comprehensive Incident Response Plan: Regularly test the plan through simulations or tabletop exercises to ensure preparedness.
As cyber threats continue to evolve, understanding attacker behaviors and implementing proactive security measures is essential for organizations aiming to safeguard their digital infrastructure. The 2025 Sophos Active Adversary Report serves as a timely reminder of the need for vigilance in an increasingly complex cyber landscape.
Play audio
Comments
Add your comment
Categories
Startup Raises
255
Feature
76
Fintech
32
Fresh News
664
How To
75
Acquisition
36
Reports
18
Opinion
42
Recent Posts
Logidoo Opens Global Trade Channels for African Businesses with Groupage Shipping
Logidoo, the pan-African logistics platform, has a...
Lagos Turns Up for PUBG MOBILE Community Event with 1,000+ Attendees
On March 28, 2025, Lagos transformed into the ulti...
How to Leverage Emerging Technologies for Startup Growth
In today’s rapidly evolving business landscape, em...
From Waste to Worth: LG Inspires Eco-Action with Hinckley Recycling Partnership
In a commendable initiative coinciding with Eart...
How Nigeria’s Digital-Savvy Youth Are Transforming Online Shopping Trends
The digital landscape in Nigeria is undergoing a s...
Related Post
Hackers Are Logging In, Not Hacking In, in 56% of IR and MDR Cases – Sophos Report
Sophos, a global leader in innovative security solutions for combating cyberatta...
MarkHack 4.0: Igniting Innovation in Nigeria’s Media and Marketing Landscape
The future of marketing is poised for significant evolution, driven by technolog...
From Payhippo to Rivy: A Bold Rebrand with $4M Pre-Series A Funding
Rivy, an AI-powered lender dedicated to Africa's renewable energy sector, has an...
No comments