Median Time to Data Exfiltration Now Just Three Days
A new Sophos Active Adversary Report reveals that in 56% of cyber incidents handled by Sophos Managed Detection and Response (MDR) and Incident Response (IR) teams, attackers gained access using valid credentials rather than exploiting vulnerabilities. Compromised credentials remained the top attack vector for the second consecutive year, accounting for 41% of cases, followed by exploited vulnerabilities (21.79%) and brute force attacks (21.07%).
“Passive security is no longer enough. Organizations must actively monitor networks and act swiftly against observed threats.”
– John Shier, Field CISO, Sophos
The report, based on over 400 cases in 2024, highlights the speed of modern cyberattacks. The median time from initial compromise to data exfiltration was just 72.98 hours (3.04 days), while attackers took only 11 hours to attempt breaching Active Directory, a critical asset for Windows-based networks. The study also found that dwell time—the duration attackers remain undetected—has dropped to two days for MDR cases, indicating improved detection but also faster-moving threats.
Other Key Findings:
- Ransomware remains a major threat: Akira was the most encountered ransomware group, followed by Fog and LockBit, despite a global crackdown on the latter.
- Attackers strike outside business hours: 83% of ransomware deployments occurred at night or on weekends.
- RDP remains a weak link: Remote Desktop Protocol (RDP) was involved in 84% of cases, making it the most frequently exploited Microsoft tool.
To mitigate these risks, Sophos recommends organizations close exposed RDP ports, implement phishing-resistant multifactor authentication (MFA), patch vulnerabilities promptly, and deploy 24/7 MDR or Endpoint Detection and Response (EDR) solutions.