Attackers keep exploiting external remote services like firewalls and VPNs, as 56% of all MDR and IR cases involve the use of valid credentials for such services.
This is according to the 2025 Sophos Active Adversary Report.
For the second year in a row, compromised credentials retain the top spot as the leading cause of attacks — 41% of cases. Followed by exploited vulnerabilities [21.79%] and brute force attacks [21.07%].
This gives an idea of how attackers are yearning for valid credentials through sophisticated phishing attempts or password attacks to break into external remote services.
The report details attacker behavior and techniques from over 400 Managed Detection and Response [MDR] and Incident Response [IR] cases in 2024.
The Sophos X-Ops team, when analyzing MDR and IR investigations, looked specifically at ransomware, data exfiltration, and data extortion cases to identify how fast attackers progressed through the stages of an attack within an organization.
Also read: Ransom payment decreased by 35% in 2024
In those three types of cases, the median time between the start of an attack and exfiltration was only 72.98 hours [3.04 days]. Furthermore, there was only a median of 2.7 hours from exfiltration to attack detection.
“Passive security is no longer enough. While prevention is essential, rapid response is critical. Organizations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense. For many organizations, that means combining business-specific knowledge with expert-led detection and response. Our report confirms that organizations with proactive monitoring detect attacks faster and experience better outcomes,” said John Shier, field CISO.
The report further reveals that attackers can move quickly, with a median of just 11 hours between initial access and a breach attempt on Active Directory, a critical asset in Windows environments.
Akira emerged as the most prevalent ransomware group in 2024, followed by Fog and LockBit, the latter still active despite a major takedown.
Attack detection has improved overall, with dwell time—the time attackers remain undetected—dropping from 4 days to just 2, thanks largely to the inclusion of MDR (Managed Detection and Response) cases.
Dwell time varied depending on the type of case: it held steady at 4 days for ransomware and 11.5 days for non-ransomware cases in incident response (IR) investigations.
In contrast, MDR cases showed much faster response times—3 days for ransomware and just 1 day for non-ransomware attacks.
The report also highlights that 83% of ransomware deployments occurred outside local business hours, showing attackers favor overnight activity.
Additionally, Remote Desktop Protocol (RDP) was exploited in 84% of cases, making it the most commonly abused Microsoft tool.
Security Recommendations from Sophos
To strengthen cybersecurity posture, Sophos advises organizations to take several key steps:
- Close any exposed Remote Desktop Protocol (RDP) ports.
- Implement phishing-resistant multifactor authentication (MFA) wherever feasible to reduce unauthorized access risks.
- Prioritize timely patching of vulnerable systems, especially those exposed to the internet.
- Deploy Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) solutions with 24/7 monitoring is crucial.
- Have a well-defined incident response plan—and regularly testing it through simulations or tabletop exercises.
About Author
