Attackers primarily gained initial network access—56% of all MDR and IR cases—by exploiting external remote services like firewalls and VPNs using valid credentials. This is according to a new report by cybersecurity firm Sophos.
The 2025 Sophos Active Adversary Report details attacker behavior and techniques from over 400 Managed Detection and Response [MDR] and Incident Response [IR] cases in 2024.
According to the report, the combination of external remote services and valid accounts aligns with the top root causes of attacks. For the second year in row, compromised credentials were the number one root cause of attacks [41% of cases]. This was followed by exploited vulnerabilities [21.79%] and brute force attacks [21.07%].
Understanding The Speed of Attacks
When analyzing MDR and IR investigations, the Sophos X-Ops team looked specifically at ransomware, data exfiltration, and data extortion cases to identify how fast attackers progressed through the stages of an attack within an organization. In those three types of cases, the median time between the start of an attack and exfiltration was only 72.98 hours [3.04 days]. Furthermore, there was only a median of 2.7 hours from exfiltration to attack detection.
“Passive security is no longer enough. While prevention is essential, rapid response is critical. Organizations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense. For many organizations, that means combining business-specific knowledge with expert-led detection and response. Our report confirms that organizations with proactive monitoring detect attacks faster and experience better outcomes,” said John Shier, field CISO.
The 2025 Sophos Active Adversary Report further reveals that attackers can move quickly, with a median of just 11 hours between initial access and a breach attempt on Active Directory, a critical asset in Windows environments. Akira emerged as the most prevalent ransomware group in 2024, followed by Fog and LockBit, the latter still active despite a major takedown. Attack detection has improved overall, with dwell time—the time attackers remain undetected—dropping from 4 days to just 2, thanks largely to the inclusion of MDR (Managed Detection and Response) cases.
Dwell time varied depending on the type of case: it held steady at 4 days for ransomware and 11.5 days for non-ransomware cases in incident response (IR) investigations. In contrast, MDR cases showed much faster response times—3 days for ransomware and just 1 day for non-ransomware attacks. The report also highlights that 83% of ransomware deployments occurred outside local business hours, showing attackers favor overnight activity. Additionally, Remote Desktop Protocol (RDP) was exploited in 84% of cases, making it the most commonly abused Microsoft tool.
To strengthen their cybersecurity posture, Sophos advises organizations to take several key steps. First, they should close any exposed Remote Desktop Protocol (RDP) ports and implement phishing-resistant multifactor authentication (MFA) wherever feasible to reduce unauthorized access risks.
Additionally, companies should prioritize timely patching of vulnerable systems, especially those exposed to the internet. Deploying Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) solutions with 24/7 monitoring is crucial. Finally, having a well-defined incident response plan—and regularly testing it through simulations or tabletop exercises—can greatly improve preparedness for potential attacks.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
