Kevin Beaumont
The 2025 Sophos Active Adversary Report is out.
I thread these every year as, personally, I think yearly IR and MDR reports are the best source of data for defenders on _real world_ threats.
https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/
Key take aways for me:
- Despite what you read from scare vendors, ransomware dwell time (initial access to deployment) is still measured days.
It is not hopeless and by active monitoring you *can* stop attackers.
Kevin Beaumont
Compromised credentials continue to drive a majority of incidents. Why? home PCs and infostealers.
MS Recall got the shite kicked out of it because it would have been a disaster for exactly this reason, we don't need to pour petrol on that already raging and unsolved fire.
Bruteforcing of VPNs and exploitation of network border vulnerabilities continues to be a major (and growing) problem.
Bang for buck: Concentrate on MFA everything, patch everything internet facing, monitor bruteforce.
Kevin Beaumont
Bruteforce and external remote access drives a significant portion of incidents, which also ties to compromised credentials (78% of cases is remote access with valid creds, infostealers go brrrr).
CitrixBleed was 5% of all security incidents - may explain why I made an MSPaint.exe logo for it
The long story short is you need really robust authentication - if you get it wrong, you are toast in 2025 - and really, really robust external services patching. Don't ever present RDP to the internet.
Kevin Beaumont
If you have a way of being able to block or at least alert on software, yeet these:
- SoftPerfect Network Scanner
- AnyDesk
- mimikatz (lol 2025)
- Rclone
- WinRAR
- Advanced IP Scanner
- Advanced Port Scanner
Kevin Beaumont
In 84% of cases - you know, almost all - attackers use RDP, aka Remote Desktop.
Yes, you think attackers are hacking the matrix and using Generative AI to generate 31337 code... but in fact, almost all of them are using Remote Desktop to *point and click* hack you.
There's some really good recommendations in that for monitoring internal RDP usage. It's by far one of the biggest ways to catch people internally being naughty. Why is somebody RDPing to a domain controller at 3am?
Kevin Beaumont
Notably, for the second year running (and same with all prior reports) (and the same across other IR and MDR providers), the report doesn't mention AI or Generative AI once.
Absolutely not popular to say that and always get next to zero engagement on LinkedIn, but let me be super clear on this one:
The threat to your business is foundational IT and security. The big incident that screws you over will be somebody pointing and clicking. Focus on what actually matters, not AI.
Kevin Beaumont
Finally, if you want the raw incident data to analyse, Sophos has it, anonymized: https://github.com/sophoslabs/Active_Adversary_Report/blob/main/sophos-aar2501-github-share.csv
Kevin Beaumont
I should also point out there's a lot of infosec people at trillion dollar tech companies sat thinking quantum and AI is going to be the next big problem...
...when in reality SMBs make up a vast majority of the global economy - and are getting owned by people running this as they can't work out nmap parameters, while playing Call of Duty on their second monitor (this isn't even a joke, this was a ransomware deployment):
argv minus one
The solution to this problem is not MFA.
When you have a problem with passwords getting compromised/phished/bruteforced, and you solve it with #MFA, now you have two problems.
The solution to this problem is smart cards.
Kevin Beaumont
100% on this one, seen all the time on real world incidents.
Problem: somebody got a password for an account and nobody knows how.
How: the business user signed into their personal Google account in Chrome at work, which synced all their bookmarks and saved passwords to Google. Then they switched on their home PC, Chrime synced, and infostealer took all the details
Solution: Google Chrome ADMX, and set Group Policy to turn off personal account sign in with Chrome.
RaulV
@GossiTheDog phishing only 2.6% is shocker.
argv minus one
@GossiTheDog@cyberplace.social
1. We're talking about big orgs with zillion-dollar budgets. They can afford smart card infrastructure.
2. Trusting random employees' smartphones to serve as authentication tokens is hilariously stupid.
3. Employees who do know the first thing about security aren't gonna be thrilled installing Microsoft apps on their phones.
4. MFA is the exact opposite of “minimal friction”.
5. If you must use a phone as a hardware token, then at least do it properly: NFC, QR code, etc.
argv minus one
Wait, what? I wasn't under the impression that small orgs even think about any of this stuff.
T
@GossiTheDog I’ve seen this at orgs where they have a policy that they can’t touch anything or provide any advice for stuff that happens on user’s personal tech. So that’s hard to try to mitigate for security teams.
Jernej Simončič �
@GossiTheDog You mean the policy that's been deprecated?
argv minus one
Which controls? MFA? The sum of two weak authentication methods does not add up to a strong authentication method. There's a reason security keeps getting breached despite all the flashy security theatrics of the last few years.
John Shier
@nopatience @argv_minus_one @GossiTheDog Agreed. There are very robust defensive controls that exist before you get to smart cards.
Over half of the orgs in the dataset are under 250 users. They don't have the time, money, or the expertise to deal with smart cards.
argv minus one
> Smart cards has never, imho, been a realistic solution to almost any organisations; ever.
Why not?
Christoffer S.
@argv_minus_one
Impractical, expensive, not especially user friendly. Sure they are secure, but there are so many other things (again, imho) that makes them not ideal to use for carrying user identities.
@GossiTheDog
Christoffer S.
I genuinely think that #Passkeys may be the first and only real solution in decades to have a chance at replacing the password/MFA issues.
It will work for individuals as well as organizations and their employees.
Until then we'll have to accept reality which is compromised private computers leaking credentials, and having enforced MFA will help in some instances.
Smart cards has never, imho, been a realistic solution to almost any organisations; ever.
Nick Drage
@GossiTheDog if you sync with any account in Chrome it will sync all the accounts "within" that browser to any other browser using the same account?
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.