Sophos report highlights urgency of active cyber defence

Sophos has published its 2025 Active Adversary Report, offering significant insights into the tactics employed by cyberattackers that IT channel partners and chief information security officers (CISOs) should consider.

The report highlights that the principal method attackers used to gain initial network access was logging into external remote services, such as VPNs and firewalls, with valid credentials, comprising 56% of the cases analysed.

Credential compromise continues to be a primary concern, cited as the root cause in 41% of the attacks for the second consecutive year. To mitigate risk, Sophos recommends prioritising multifactor authentication (MFA), identity threat detection and response (ITDR), and zero-trust security strategies.

The report underscores the urgency of swift response times to cyber threats. Attackers were able to reach the Active Directory (AD) system within as few as 11 hours after initial access, with ransomware and data exfiltration operations complete in just three days. Managed Detection and Response (MDR) services are highlighted as being crucial for improving the security posture, particularly for organisations lacking robust in-house security operations centres.

It was found that 83% of ransomware incidents occurred outside normal business hours, reinforcing the necessity for round-the-clock security monitoring. This observation presents a compelling argument for MDR and managed security services.

Organisations employing MDR services detected threats twice as quickly as those that did not, with the dwell time shortening to just one day for non-ransomware incidents. This suggeststhe critical importance of proactive threat detection, which represents a substantial opportunity for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).

The report analysed over 400 Incident Response (IR) and Managed Detection and Response (MDR) cases from 2024, offering a detailed examination of attackers' strategies. The median time from the beginning of an attack to data exfiltration was approximately 73 hours, underscoring the rapid speed of these threats. From exfiltration to detection, a median of only 2.7 hours was reported.

John Shier, Field CISO at Sophos, stressed the inadequacy of passive security measures. "Passive security is no longer enough. While prevention is essential, rapid response is critical. Organizations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense. For many organizations, that means combining business-specific knowledge with expert-led detection and response. Our report confirms that organizations with proactive monitoring detect attacks faster and experience better outcomes," Shier commented.

The report also found the median time between an attacker's initial movement and their attempt to breach an Active Directory was merely 11 hours. Once accessed, attackers can significantly increase their control over the victim organisation's systems.

The most frequently encountered ransomware groups were identified as Akira, Fog, and LockBit, with the latter continuing to operate despite efforts for its dismantling by multiple governments. A noteworthy decrease in dwell time—from four days to just two—was observed due to the inclusion of MDR data in the analysis.

Overall, Sophos advises organisations to close exposed Remote Desktop Protocol (RDP) ports, implement phishing-resistant MFA, timely patch vulnerable systems, deploy 24/7 monitored EDR or MDR solutions, and regularly test incident response plans.