The Sophos active adversary report celebrates its fifth Anniversary this year. The report grew out of a simple question : What happens after our attackers breach a company? Knowing the adversary’s playbook, after all, helps defender better battle and attack. [There’s a reason we started life as “The Active Adversary Playbook”] At the same time we were discussing ways to instrument a testing environment to answer that what-happens question, Sophos was preparing to launch an incident response [IR] service. A cross-team project was born.
For five years, we’ve presented our data – first solely from the IR service but eventually expanding to include data from IR’s sister team supporting current MDR customers – and provided analysis on what we think it mean. As we continue to refine our process for collecting and analyzing data, this report will focus on some key observations and analysis – and, to celebrate a half-decade of this work, we’re giving the world access to our 2024 dataset, in hope of starting broader conversation. More information on that can be found at the end of the report.
Key takeaways :
- Difference between MDR and IR findings show, quantitatively, the statistical value of active monitoring.
- Compromised credentials continue to lead initial access; MFA is essential.
- Dwell time drops (again!)
- Attacker abuse of living-of-the-land binaries [LOLBins] explodes.
- Remote ransomware poses a unique challenge / opportunity for actively managed systems.
- Attack impacts contain lessons about potential detections.