Sophos, which provides security solutions to combat cyberattacks, published its It Takes Two: 2025 Sophos Active Adversary report. This document details attacker behavior and techniques from over 400 MDR and incident response (IR) cases in 2024. In particular, it found that the primary way attackers gained initial access to networks (56 percent) was by exploiting external remote services such as edge devices – including firewalls and VPNs – by leveraging valid accounts.
The combination of external remote services and valid accounts aligns with the top root causes of attacks. For the second year in row, compromised credentials were the top cause of attacks (41 percent), trailed by exploited vulnerabilities (21.79 percent) and brute-force attacks (21.07 percent).
When analyzing MDR and IR investigations, Sophos’ X-Ops team looked specifically at ransomware, data exfiltration and data extortion cases to identify how fast attackers progressed through the stages of an attack within an organization. In those three types of cases, the median time from attack start to exfiltration was 3.04 days. Furthermore, there was only a median of 2.7 hours, from exfiltration to attack detection.
“Passive security is no longer enough,” said field CISO, John Shier. “While prevention is essential, rapid response is critical. Organizations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense. For many organizations, that means combining business-specific knowledge with expert-led detection and response. Our report confirms that organizations with proactive monitoring detect attacks faster and experience better outcomes.”
Other key findings included:
- Attackers can take control of a system within 11 hours.
- Akira was the most frequently encountered ransomware group in 2024, followed by Fog and LockBit.
- Dwell time is down to just two days.
- Dwell time in IR cases remained stable at four days (ransomware) and 11.5 days (non-ransomware).
- Dwell time in MDR cases was three days (ransomware cases) and one day (non-ransomware).
- In 2024, 83 percent of ransomware binaries were dropped outside of the targets’ local business hours.
