The fifth anniversary of the Sophos Active Adversary Report is a significant milestone for the team behind it. The report originally began as a way to answer the question of what happens after attackers breach a company, providing valuable insights into the adversary’s playbook to help defenders better battle active attacks. Over the years, the report has evolved to include data from both the Incident Response (IR) team and the Managed Detection and Response (MDR) team, offering a comprehensive analysis of the cybersecurity landscape.
One of the key takeaways from the report is the differences between MDR and IR findings, showcasing the statistical value of active monitoring in detecting and responding to threats. Compromised credentials remain a common method of initial access for attackers, highlighting the importance of multi-factor authentication (MFA) as an essential security measure. Dwell time, the duration between an attacker’s initial access and detection, continues to decrease, indicating improved detection and response capabilities.
Another notable trend highlighted in the report is the explosive increase in attacker abuse of living-off-the-land binaries (LOLBins), which are legitimate tools that can be exploited by attackers for malicious purposes. The rise of remote ransomware, which poses a unique challenge for actively managed systems, also underscores the evolving nature of cyber threats.
The data used in the report is drawn from a variety of industries and locations, reflecting the global nature of cybersecurity threats. The manufacturing sector remains a common target for Sophos X-Ops response services, though the percentage of customers from this sector has decreased in recent years. Other industries represented in the dataset include education, construction, information technology, and healthcare.
One of the key findings in the report is the comparison between MDR and IR cases, which highlights the importance of skilled active monitoring and logging in improving security outcomes. The report also delves into root causes of incidents, detection opportunities, and best practices for mitigating cyber threats.
Overall, the Sophos Active Adversary Report offers valuable insights into the evolving cyber threat landscape and provides actionable recommendations for security practitioners and business leaders. By understanding the data and trends presented in the report, organizations can enhance their cybersecurity posture and better protect their digital assets.