Sophos has released its 2025 Active Adversary Report, which analyzes cybercriminal behavior based on data from over 400 Managed Detection and Response (MDR) and Incident Response (IR) cases in 2024. The report highlights that 56% of initial intrusions occurred through the exploitation of external remote services, such as firewalls and VPNs, using legitimate credentials rather than traditional break-in methods.
Key Findings from the Report
🔹 Compromised Credentials: The Leading Cause of Attacks
For the second consecutive year, the primary root cause of cyberattacks was stolen or compromised credentials (41%). Other significant causes included exploited vulnerabilities (21.79%) and brute-force attacks (21.07%).
🔹 Attackers Move Faster Than Ever
Sophos X-Ops analyzed attack timelines and found that:
-
Median time from initial access to data exfiltration: 72.98 hours (3.04 days)
-
Median time from exfiltration to detection: 2.7 hours
-
Attackers take control of systems quickly: The median time to breach Active Directory (AD) was just 11 hours, allowing them to seize control of an organization.
🔹 Ransomware Trends and Dwell Time
-
Top Ransomware Groups: Akira was the most frequently encountered ransomware group in 2024, followed by Fog and LockBit.
-
Overall Dwell Time: Cybercriminals remained undetected for an average of 2 days, down from 4 days in previous years, indicating improved detection.
-
Dwell Time in Different Attack Cases:
-
Ransomware Cases: 4 days in IR investigations, 3 days in MDR cases
-
Non-Ransomware Cases: 11.5 days in IR, but just 1 day in MDR cases
-
Recommendations for Stronger Cybersecurity
To mitigate these threats, Sophos advises organizations to:
✅ Close exposed RDP ports to prevent unauthorized remote access
✅ Implement phishing-resistant MFA to safeguard user credentials
✅ Patch vulnerable systems promptly, especially internet-facing devices
✅ Deploy EDR/MDR with 24/7 proactive monitoring to detect threats early
✅ Develop and test an incident response plan to ensure swift action in case of an attack
“Passive security is no longer enough,” said John Shier, Field CISO at Sophos. “Organizations need continuous monitoring and rapid response to stay ahead of cybercriminals.”
📢 What cybersecurity strategies is your organization prioritizing in 2025? Share your thoughts below! ⬇️
#Cybersecurity #Sophos #MDR #EDR #CyberThreats #Infosec #Ransomware #ITSecurity
