A new report reveals that 67 percent of all security incidents investigated by the Sophos Incident Response (IR) and Managed Detection and Response (MDR) teams last year were rooted in identity-related attacks.
The findings highlight how attackers continue to exploit compromised credentials, weak or missing multifactor authentication (MFA), and poorly protected identity systems — often without needing to deploy new tools or techniques.
The findings show a shift from exploited vulnerabilities toward compromised credentials, with brute-force activity (15.6 percent) drawing almost level with exploitation (16 percent) as an initial access method.
Median dwell time declined to three days., driven by attackers’ movements, but also by defenders reacting more swiftly. This is particularly notable in MDR environments. Attackers are also getting faster at reaching Active Directory (AD). Once an attacker is inside an organization it takes them just 3.4 hours to get to the AD server.
Ransomware remains a firmly off-hours activity with 88 percent of payloads deployed during non-business hours. Similarly, 65 percent of data exfiltration actions take place in off-hours.
“The most concerning finding in the report has actually been years in the making: The dominance of identity-related root causes for successful initial access. Compromised credentials, brute-force attacks, phishing, and other tactics leverage weaknesses that can’t be addressed by simple patch hygiene. Organizations must take a proactive approach to identity security,” says John Shier, field CISO and lead author of the report.
Researchers observed the highest number of active threat groups recorded in the report’s history, expanding the overall threat landscape and increasing the challenge of attribution. Akira (GOLD SAHARA) and Qilin (GOLD FEATHER) are the most active ransomware brands observed, with Akira dominating across 22 percent of incidents.
Interestingly the research finds no evidence of a major AI-driven transformation in attacker behavior. While generative AI has increased the speed and polish of phishing and social engineering, it has not yet produced fundamentally new attack techniques.
“AI is adding scale and noise but not yet replacing attackers. While in the future GenAI could be the next accelerator, right now the fundamentals still matter: strong identity protection, reliable telemetry, and the ability to respond quickly when something goes wrong,” adds Shier.
The full report is available from the Sophos site.
Image credit: Milkos/depositphotos.com
