Sophos recently released the findings of its annual report detailing various learnings and insights from its internal research. The report details attacker behavior and techniques from over 400 MDR and IR cases in 2024.
Research shows organizations are detecting attacks faster, but threats remain complex
The report found that the primary way attackers gained initial access to networks (56% of all cases across MDR and IR) was by exploiting external remote services, which includes edge devices such as firewalls and VPNs, by leveraging valid accounts.
“Passive security is no longer enough. While prevention is essential, rapid response is critical. Organizations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense,” Sophos Field CISO John Shier said in a statement. “For many organizations, that means combining business-specific knowledge with expert-led detection and response. Our report confirms that organizations with proactive monitoring detect attacks faster and experience better outcomes.”
Sophos outlines the following points as key insights from the report:
- Attackers can take control of a system in just 11 hours: The median time between attackers’ initial action and their first often successful attempt to breach Active Directory (AD) – arguably one of the most important assets in any Windows network – was merely 11 hours. If successful, attackers can more easily seize control of the organization.
- Top ransomware groups in Sophos cases: In 2024, Akira was the most frequently reported ransomware group, followed by Fog and LockBit, even after a multi-government takedown of LockBit earlier in the year.
- Dwell time is down to just 2 days: Overall, dwell time – the period from the start of an attack to its detection – decreased from 4 days to just 2 in 2024, primarily due to adding MDR cases to the dataset.
- Dwell time in IR cases: Dwell time stayed consistent at 4 days for ransomware attacks and 11.5 days for non-ransomware cases.
- Dwell time in MDR cases: In MDR investigations, dwell time was only three days for ransomware cases and just one day for non-ransomware cases, suggesting that MDR teams can detect and respond to attacks more quickly.
- Ransomware groups operate overnight: In 2024, 83% of ransomware binaries were deployed outside the targets’ local business hours.
- Remote desktop protocol continues to dominate: RDP accounted for 84% of MDR/IR cases, making it the most frequently exploited Microsoft tool.
For a second year, compromised credentials were the number one root cause of attacks (41% of cases). This was followed by exploited vulnerabilities (21.79%) and brute force attacks (21.07%).
What MSPs can do to keep themselves and clients protected
As noted above, the report emphasizes the ongoing need for organizations to stay vigilant and ready for any eventuality. While the research may be alarming, Shier told Channel Insider that MSPs can use it to assess their overall security posture.
“What I really want partners and others to take away from this isn’t necessarily, this says ‘A’ so I’ll go do ‘B,’ it’s more about, this is the steps that threat actors are taking, so looking internally, how would I fare in this scenario,” Shier said.
To Shier, the most important part of this Active Adversary report is that solutions like MDR decrease the prevalence and impact of activities such as ransomware on businesses.
“This report is the confirmation of a theory I had, which is that outcomes would be better if we added in the MDR events in addition to the IR data we have used in years past,” Shier said. “That theory ended up being true. When you have experts looking at the evidence, and those experts know what they are looking for and have the necessary telemetry to address that information, you are better prepared against threat actors.”
The report outlines practical steps for MSPs and organizations to take in response to threats generally:
- Close exposed RDP ports
- Use phishing-resistant multifactor authentication (MFA) wherever possible
- Patch vulnerable systems promptly, with a particular focus on internet-facing devices and services
- Deploy EDR or MDR and ensure it is proactively monitored 24/7
- Establish a comprehensive incident response plan and test it regularly through simulations or tabletop exercises
As many MSPs, MSSPs, and other channel partners have likely experienced, this information is probably not new to security experts. However, it is valuable data to present to non-technical leaders in organizations to illustrate the importance of prioritizing security in budgetary and operational planning.
“For field practitioners and security experts, there is already a lot of awareness of both what is available from a technical perspective and of where an organization is leaving themselves at risk, but that awareness is not always carried up through management and beyond technical roles,” Shier said. “I hope this report can show the potential impact to non-IT roles and leaders.”
“Ultimately, security is about enabling the business to move forward and grow faster without putting the business at risk.”
Sophos continues to support its MSP partners with solutions and services. Read our interview with the company’s SVP of Product Management, Rob Harrison, to learn more about its approach to channel partners.