The 2025 Sophos Active Adversary Report is out.
I thread these every year as, personally, I think yearly IR and MDR reports are the best source of data for defenders on _real world_ threats.
https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/
Key take aways for me:
- Despite what you read from scare vendors, ransomware dwell time (initial access to deployment) is still measured days.
It is not hopeless and by active monitoring you *can* stop attackers.
Compromised credentials continue to drive a majority of incidents. Why? home PCs and infostealers.
MS Recall got the shite kicked out of it because it would have been a disaster for exactly this reason, we don't need to pour petrol on that already raging and unsolved fire.
Bruteforcing of VPNs and exploitation of network border vulnerabilities continues to be a major (and growing) problem.
Bang for buck: Concentrate on MFA everything, patch everything internet facing, monitor bruteforce.
Bruteforce and external remote access drives a significant portion of incidents, which also ties to compromised credentials (78% of cases is remote access with valid creds, infostealers go brrrr).
CitrixBleed was 5% of all security incidents - may explain why I made an MSPaint.exe logo for it
The long story short is you need really robust authentication - if you get it wrong, you are toast in 2025 - and really, really robust external services patching. Don't ever present RDP to the internet.
If you have a way of being able to block or at least alert on software, yeet these:
- SoftPerfect Network Scanner
- AnyDesk
- mimikatz (lol 2025)
- Rclone
- WinRAR
- Advanced IP Scanner
- Advanced Port Scanner
In 84% of cases - you know, almost all - attackers use RDP, aka Remote Desktop.
Yes, you think attackers are hacking the matrix and using Generative AI to generate 31337 code... but in fact, almost all of them are using Remote Desktop to *point and click* hack you.
There's some really good recommendations in that for monitoring internal RDP usage. It's by far one of the biggest ways to catch people internally being naughty. Why is somebody RDPing to a domain controller at 3am?
Notably, for the second year running (and same with all prior reports) (and the same across other IR and MDR providers), the report doesn't mention AI or Generative AI once.
Absolutely not popular to say that and always get next to zero engagement on LinkedIn, but let me be super clear on this one:
The threat to your business is foundational IT and security. The big incident that screws you over will be somebody pointing and clicking. Focus on what actually matters, not AI.
Kevin Beaumont
rye