Kevin BeaumontApr 2, 2025

The 2025 Sophos Active Adversary Report is out.

I thread these every year as, personally, I think yearly IR and MDR reports are the best source of data for defenders on _real world_ threats.

https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/

Key take aways for me:

- Despite what you read from scare vendors, ransomware dwell time (initial access to deployment) is still measured days.

It is not hopeless and by active monitoring you *can* stop attackers.

It takes two: The 2025 Sophos Active Adversary Report

The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you

Sophos News
Show threadKevin BeaumontApr 2, 2025

Compromised credentials continue to drive a majority of incidents. Why? home PCs and infostealers.

MS Recall got the shite kicked out of it because it would have been a disaster for exactly this reason, we don't need to pour petrol on that already raging and unsolved fire.

Bruteforcing of VPNs and exploitation of network border vulnerabilities continues to be a major (and growing) problem.

Bang for buck: Concentrate on MFA everything, patch everything internet facing, monitor bruteforce.

Show threadKevin BeaumontApr 2, 2025

Bruteforce and external remote access drives a significant portion of incidents, which also ties to compromised credentials (78% of cases is remote access with valid creds, infostealers go brrrr).

CitrixBleed was 5% of all security incidents - may explain why I made an MSPaint.exe logo for it

The long story short is you need really robust authentication - if you get it wrong, you are toast in 2025 - and really, really robust external services patching. Don't ever present RDP to the internet.

Show threadKevin BeaumontApr 2, 2025

If you have a way of being able to block or at least alert on software, yeet these:

- SoftPerfect Network Scanner
- AnyDesk
- mimikatz (lol 2025)
- Rclone
- WinRAR
- Advanced IP Scanner
- Advanced Port Scanner

Show threadKevin BeaumontApr 2, 2025

In 84% of cases - you know, almost all - attackers use RDP, aka Remote Desktop.

Yes, you think attackers are hacking the matrix and using Generative AI to generate 31337 code... but in fact, almost all of them are using Remote Desktop to *point and click* hack you.

There's some really good recommendations in that for monitoring internal RDP usage. It's by far one of the biggest ways to catch people internally being naughty. Why is somebody RDPing to a domain controller at 3am?

The Bard At WorkApr 2, 2025
Show threadKevin Beaumont

Notably, for the second year running (and same with all prior reports) (and the same across other IR and MDR providers), the report doesn't mention AI or Generative AI once.

Absolutely not popular to say that and always get next to zero engagement on LinkedIn, but let me be super clear on this one:

The threat to your business is foundational IT and security. The big incident that screws you over will be somebody pointing and clicking. Focus on what actually matters, not AI.

Apr 2, 2025 at 3:15pmWeb
Show threadKevin BeaumontApr 2, 2025
Finally, if you want the raw incident data to analyse, Sophos has it, anonymized: https://github.com/sophoslabs/Active_Adversary_Report/blob/main/sophos-aar2501-github-share.csv
Active_Adversary_Report/sophos-aar2501-github-share.csv at main · sophoslabs/Active_Adversary_Report

Datasets from the Sophos Active Adversary Report. Contribute to sophoslabs/Active_Adversary_Report development by creating an account on GitHub.

GitHub
Show threadKevin BeaumontApr 2, 2025

I should also point out there's a lot of infosec people at trillion dollar tech companies sat thinking quantum and AI is going to be the next big problem...

...when in reality SMBs make up a vast majority of the global economy - and are getting owned by people running this as they can't work out nmap parameters, while playing Call of Duty on their second monitor (this isn't even a joke, this was a ransomware deployment):

Show threadKevin BeaumontApr 2, 2025

100% on this one, seen all the time on real world incidents.

Problem: somebody got a password for an account and nobody knows how.

How: the business user signed into their personal Google account in Chrome at work, which synced all their bookmarks and saved passwords to Google. Then they switched on their home PC, Chrome synced, and infostealer took all the details

Solution: Google Chrome ADMX, and set Group Policy to turn off personal account sign in with Chrome.

https://infosec.exchange/@Walker/114268652560517693

Walker (@[email protected])

@[email protected] The larger problem for corporations is browser sync for passwords, login cookies and tokens, and other sensitive data. Home PCs do not have advanced EDR and if it gets compromised that could expose corporate resources.

Infosec Exchange
Show threadChristian LehrerApr 2, 2025
@GossiTheDog @Walker so easy yet so seldom utilized…
Show threadEarthshine --> movedApr 2, 2025
@GossiTheDog we continue to have this problem at my work and it drives me mad that nothing is done about it because the brass "trust Google"
Show threadJonas KöritzApr 2, 2025
@GossiTheDog Clients always want it to be the highly sophisticated, state sponsored, 0-Day buying über-Threat Actor...in reality the companies I see getting owned don't even know what services they're exposing to the public Internet or care about secure authentication methods.
Show threadJernej Simončič �Apr 2, 2025
@GossiTheDog You mean the policy that's been deprecated?
Show threadLady ArtemisApr 3, 2025

@GossiTheDog

Is do not ever use google chrome, end of rule, no longer an option?

Are businesses and companies being required to use Google bullspit? Or only kind of, because they refuse to give up a false sense of convenience or some other company who requires google chrome to allow access?

I really like, do not use google chrome, as a rule.

Show threadNick DrageApr 3, 2025
@GossiTheDog if you sync with any account in Chrome it will sync all the accounts "within" that browser to any other browser using the same account?
Show threadAlan Miller  🇺🇦Apr 2, 2025
@GossiTheDog hey, Angry IP Scanner was great, and that's probably the last release of version 2 which was a normal exe vs the version 3 complete rewrite as a Java app.
Show threadjjesseApr 12, 2025
@GossiTheDog Was at a conference and one of the questions was "How can we better secure SMB?" and the answer from the panalists "Our company doesn't sell to SMB, or work with them, it's too complicated..." Seems like there is a gap for security folks at that level but not sure how to get there
Show threadbrankApr 2, 2025
@GossiTheDog and yet it's hard to have people focus on the basics because they're boring to most :-(
Show threadSIEM ShadyApr 2, 2025
@GossiTheDog I'm a broken record internally, saying "the fundamentals still apply".
Show threadAnneHApr 2, 2025
@GossiTheDog Ciaran Martin used to say "Deal with the low-hanging fruit".
Show threadMichael WeissApr 2, 2025

@GossiTheDog good security isn't sexy. And sexy security isn't good.

I can't tell you how many times I've said to various execs and board members "I really look forward to the day when [some sexy security topic] is at the top of my list." That day has yet to come, by the way.

Show threadryeApr 2, 2025
@GossiTheDog 100%. I'm at a client who, in 2025, is running as domain admins.