Name: Active Adversary Roundtable May 2025
Uploaded: 2025-05-27T06:37:54.673Z
Duration: 1 h 1 min 49 s
Description: Active Adversary Roundtable May 2025

Transcript for "Active Adversary Roundtable May 2025": Hello, and welcome to this latest Sophos webcast where we'll be discussing the most recent active adversary report. My name is John Shire. I'm a field CTO here at Sophos and a member of the active adversary report team. In past webcast, I've presented the findings of the report on my own, but this time we're doing things a bit differently. Instead of presenting a singular view of the data, I've invited some colleagues from different parts of the organization to help me untangle the findings and apply some in the trenches insights on what they mean. But before I introduce the panel, I wanna quickly summarize the key findings from this year's report. The major theme of the report was that incidents initiated through MDR escalations had better outcomes than those from traditional IR sources. This was followed by a large drop in dwell time, but it gets more complicated when we look at the details. Root causes of attacks continue to be dominated by compromised credentials, with exploited vulnerabilities following closely behind. Living off the land is commonplace and continues to grow as a favorite attacker tactic. And finally, remote ransomware, while not exactly new, is causing trouble for a lot of organizations. I'm joined today by Morgan Nimboski, a threat researcher in Sophos' threat hunting and intelligence team, Hillary Wood, senior MBR threat analyst, and Chris O'Brien, VP of security operations for Sophos. Welcome, everyone. I just get your titles, but can you each give the viewers a quick thirty seven thirty second description of the expertise you bring to this discussion starting with Morgan. Yeah. Thanks, John. So as, a member of the threat intelligence team, as part of the man detection and response department, you know, me and as well as my team really aim to analyze and enrich the data that's being collected by our MDR and our incident response teams. And as a part of that, we also keep a close eye and monitor the threat landscape for emerging threats that could possibly target our customer base. And the real goal is to enable us from an organizational perspective to be proactive, especially when it comes to tactical intelligence. You know, what tactics are threat actors using the most and how can we best detect and prevent this activity. So working with our MDR operations team and our threat hunters, we try to have a pretty well rounded and scoped out, a per approach from an intelligence perspective. Sounds great. Hillary? Yeah. So I'm a a senior threat analyst within the MDR team, and we essentially respond to critical cases within our MDR customer base. And so when customers are under active attack, we identify initial access and help them respond and and remediate the root cause as well. I also do a bit of work within the active adversary team as well and just looking at trends specifically within our NDR incidents as well, just so we can identify patterns, and help customers, prevent attacks before they happen essentially as well. That's great. And you are an essential part of our active adversary report team. And finally, Chris. Yeah. Hey, folks. So Chris O'Brien. I, have the privilege of supporting our internal security operations team at Sophos. So our team's job is to protect Sophos as a company, but also our products in the field as well. So when our products get deployed out, you know, they're just as much subjected to these adversarial tax as anything else. So making sure we shore up the production pipelines and all that sort of stuff is a is a big part of what we do. I absolutely thrive on the products that these teams produce and the actionable intelligence that we get out of this work. You know, this is I am very much at the receiving end of this and using this every single day. I'm not a product person. I'm I'm certainly not. It's like, you know, I I use Sophos products as part of our kind of security suite, but I guess I'm the authentic person in the trenches that John described at the end at the end of the day. You know, I just need to make sure the job gets done and we're protected from these these threats. Oh, yeah. So hopefully, everybody can see we've assembled really three, amazing experts here that will help us dissect all the data. So thanks for that, and let's go let's get on with it. So the first thing we wanna talk about is this MDR versus IR outcomes. The report led off with the fact that MDR incidents just had better outcomes than traditional IR investigations. For the first time since we've been reporting on incident response investigations, network breaches topped ransomware as the most common attack type for the entire dataset. So, Morgan, I think it's fair to say that you represent the more proactive side of MDR. How does your team's forward looking actions contribute to the rapid identification of threats and these better outcomes? That's a great question. So as a threat intel analyst on the MDAR team, our job is to really stay ahead of the curve. So in other words, anticipate adversary behaviors before they fully unfold. And in my opinion, that really comes down to two things. One, ensuring detection coverage for activity that we may not have detections for yet. And oftentimes, we leverage reporting in the threat landscape to be proactive in blocking and detecting threats that may try to target our customer base. And two, hunting for threats that we assume have debated evaded our defenses. When it comes down to it, no one defender tool can catch everything. It's just physically impossible with the breadth of malicious activity that we see. So So that's why things like threat hunting are so important because, you know, the whole premise behind threat hunting is assuming that attackers have evaded your defenses in some way. So both of these things together along with tracking attack trends across the incidents targeting our customer base contribute to us proactively searching and identifying threats ideally before they're able to negatively impact an organization? Yeah. I think it's really important because what you guys do feeds back into the product in a very meaningful way, which, you know, if we did miss something once, we're not gonna miss it again and and then we by definition, then the rest of the platform benefits. So, Hillary, in contrast with Morgan, you're in a more reactive role. You jump into the action when something's gone wrong. And how does being part of an of an m MDR team differ than, let's say, our colleagues who deal with incidents coming from outside of Sophos? Mhmm. Yeah. So I think one of the key differences, in terms of working within the MDR team specifically, because we have that added benefit of the Sophos MDR agent continually monitoring and detection detecting, potentially suspicious behavior very early on. We often detect and respond to the incidents much earlier in the attack chain, in comparison with those incidents that are coming from with Sophos, for example. So, yeah, I think when we're looking at incidents coming from from outside Sophos, sometimes these are only identified or detected at the point of impact, when a customer sees encryption or is notified of a data leak or, is is made aware of data exfiltration in some way. Whereas within the NDR team, where we can detect incidents at the point of initial access attempts, enumeration as well, and also lateral movement. So we're really detecting and, containing the threat much earlier on, which leads to a lot less impact I think in the long run as well. I think as well quickly and the MDR team has that added benefit of taking response actions very quickly in real time at the earlier stages of the attack chain. And so we when we see that threat actor behavior earlier on, we can very quickly, disable compromised users, isolate machines, and block any c two traffic that we might be seeing as well. So we can we can take those response actions very quickly, as well as, benefiting from having readily available logs as well. We can also identify that initial access very quickly and quickly communicate that with the customer and to get them to, address the root cause as well. So yeah. Although we do we do see incidents that, do you have exfiltration and encryption, I think we do contain those earlier, which I think was reflected in in the data in the report this year with a lot less ransomware attacks and and potentially more network breaches that were contained earlier. Yeah. So again, just better outcomes. And what you mentioned the word logs. We'll actually get to those a little bit later on. And you mentioned using tools, you know, Sophos technology, Chris, and Sophos. We actually use MDR as well. So how has that changed the way that we approach protecting the organization and by extension, all of the customers that rely on Sophos? I mean, it's transformational. I mean, you know, every everything you just heard described there is is hugely valuable for us. I always like to say that, we are kind of Sophos' best and, worst customers. Our, you know, being our own sort of, you know, best and worst customers because we're our best customers in the sense that we use everything and we give lots and lots of, you know, very good collaboration and feedback on our on our kit. But sometimes we do push the product a little bit where we see gaps and we want things to be improved. But I mean, you know, I think that, you know, some of the great examples that we've given there, you know, that that Adrian was mentioning about that sort of like, you know, it is based around this this endpoint capability that we have. That endpoint has the ability to very much stop things before they become a problem. And that for us, you know, for any blue team is is fantastic. Anything that can save us, you know, having to kind of go even further in-depth in that instant response is is a massive, massive boost because that that defense in-depth, you know, that's that's difficult to maintain. We have to do a lot of work to build those various different kind of trigger points and detection engineering kind of capabilities to make sure we can catch those things. So anything that we can get that can sort of, you know, alleviate some of that pressure from us, you know, in that early stages, You know, whilst defense in-depth, obviously, is the the ultimate aim for this, protection is a is a really great way to avoid it actually happening in the first place. But what's also really valuable is as, you know, both Morgan and and Adri were saying is that we get this extra, sort of enrichment around the the stop as well. It's not just a stop and, okay, you were safe. Thanks so much. We get the full case report. We get all the detail about what was in there. We get all the extra enrichment from the intelligence reports. You know, that helps us understand what we can do differently in the future because it doesn't take a lot for the attacker to sort of change their sort of, you know, TTP and then get past that defense the next time. So I think it's really important for us to stay on top of that, and that's what MDR can give us is that full rundown, full information to make us better for next time. We've got a lot of stuff to deal with and anything that can help us, you know, get ahead of the curve on that's always gonna be a benefit. Yeah. Brilliant. I mean, I guess, for the same reason that our customers enjoy the benefits of MDR, why not use it ourselves. Right? Absolutely. Absolutely. Yeah. Another area where we saw some dramatic differences between the case types, is that, you know, that's MDR versus IR was with dwell time. As a reminder, dwell time is calculated as the time between an attacker first breaches a network and when they are discovered. Over the years, we've seen dwell time drop quite significantly in our data. Back in the old days of, like, nearly five years ago, median dwell time was about fifteen days. And in our most recent report, that number was down to two days for both MDR and IR combined. So, Morgan, when we dissect the numbers, we see a now familiar pattern emerge where the MDR cases have much shorter dwell times, two days, than IR cases at seven days. How's threat intelligence and threat hunting give you what seems like a head start on the attackers? Yeah. So in MDR, our edge really comes from combining that high fidelity threat intelligence with detection engineering that's ideally always evolving. You know, we're not just reacting to known threats. We're proactively building detection logic around emerging TTPs, around suspicious behaviors, and things like anomalous tool use. And this constant vigilance means that even subtle or pre ransomware activity like credential testing or lateral movement is ideally flagged early. And in addition to detections early on in the attack chain, we also take that up to date intelligence from active campaigns, malware families, and adversary infrastructure to deploy what we call hypothesis driven hunts before an alert even hits the wire and ideally get a head start on attackers who are trying to evade our defenses. Yeah. That's that's crucial. Really, that that that again, I I I'm gonna keep referring to it, but that loop, right, of just trying to stay ahead of things just makes such a huge difference. Now despite being the on the more reactive side of things, you know, with your cases, Hillary, we're still seeing better outcomes from MDR escalations than pure IR engagements. Interestingly, ransomware remains fairly steady at about three and a half days for both types of engagements. What is it about ransomware attacks that still costs attackers time? Yeah. Yeah. I think that's quite an interesting one. But, I think that with ransomware attacks specifically, they tend tend to follow a very common attack chain and with a number of stages, executed prior to the ransomware deployment and prior to that encryption occurring and being detected. And some of these stages can take time for the threat actor to carry out particularly when we're looking at, data collection, data staging, and then that data exfiltration that, often occurs prior to the ransomware deployment and encryption occurring. There's a few other stages of the attack chain as well, that can take the the threat actor time to to carry out, and perform effectively, so that they're they're gaining the information they need. See, when we're when we're looking at the ransomware attack chain in general, prior to the encryption, we often see the attacker gain initial access, create persistence, and then perform enumeration on the network. So enumerating the network is is also one of the stages that can can take the threat actor time to carry out. And then shortly following that is is often when we see that data collection, data staging, and then finally the the exfiltration of that data out with the network. And I think we're seeing that probably more often in MDR incidents. Now, we usually see if there is encryption, we see that accompanied with the data exfiltration shortly prior as well. And if it if it is a targeted attack, it does take the threat actor time to effectively enumerate the network, pivot to those critical systems like the file servers, and and manually exfiltrate that data, that they're looking for, before deploying that encryption. So, yeah, I think the I I think having that consistent dwell time is is pretty reflective of of the attackers. Acting quick enough, I guess, to avoid detection, but also taking enough time to effectively perform enumeration, staging, and that exfiltration prior to actually deploying the ransomware itself, which is probably why it's consistent across across both customer bases. Yeah. Yeah. So it's it's, you know, when you've got the humans involved. Right? It's not like you've got the superpowered AI doing all this stuff. There's actually humans on the other side that need to do this stuff. I've often said that defenders, I've always said that it's really defenders that can actually make this dwell time go to zero. And I imagine, Chris, in your team, that's something you probably spend a lot of time thinking about. What are some of the key ways that you try to shift that advantage? I I'm I mean, hey. If you know how to reduce it to zero, please let me know because that that is that is, yeah. I mean, like, it would be wonderful if we could, but, I think I think we've got to bear in mind that there's also a human on the other end of this who's deliberately trying to make this not go to zero as well. Right? I I often think of dwell time more as a a feature of the of the actor and their ability to to stay hidden than than necessarily a missing capability in the in the security tooling, although, obviously, we're always looking for ways to get better in that as well. You know, but a lot of what we're talking about here is about we have multiple shots at at sort of spotting this. Again, defense and depth has to be the thing that we go back to. I think Heather, you made a really point there, which was talking about, like, there's multiple different stages of this life cycle where we see different activity from different actors. And, actually, some of them are better at different stages of that than others. What we need to get really good at is being able to instrument all of them together and join the dots between them because we might miss one, you know, step in the life cycle, but we wanna catch the other one. And then if we can just sort of, like, join that together, we can sort of interpret, you know, the difference between them and sort of see what we missed. And then not only does that help us catch the actor, but it also helps us kind of shore up our defenses for the next time. And that and that's, I think, something which, yes, we can definitely help with there because I think what we bring is a little bit more understanding of our own network and our own, you know, our kind of, you know, our our sort of understanding of a little bit of more of our sort of, like, our own threat profile. And I think that's really interesting. You know, when we start thinking about those, those threat hunts that Morgan was talking about and the hypothesis driven threat hunts, we can take a little bit of a lead there as well for ourselves and start looking into something like, so what is it about us that makes us particularly interesting? What are our key assets? What are those things that we need to start really looking at a little bit more closely? And whilst dwell time, I'm always gonna try and push it towards zero, but I have to understand that I may not always get zero. But at the very least, I need to catch it before that dwell time turns into something quite dangerous. You know, some some actors are quite happy to sit there and just have established footholds in your networks, and the dwell time is very, very large, but they didn't really do anything damaging just now. I'm not saying that's a good thing, but it's but it's not always necessarily the only metric that we wanna be focusing on. But if we're looking at the whole life cycle, then I think we stand a good chance of being able to stop it before it starts becoming a problem. Yeah. I think for me, CryptoMiners is the one that comes to mind with these long call times. Right? They just they just wanna be on there and hiding and doing their thing and collecting their fractions of a penny per month or whatever they Right. Right. If anything, catching them too early can be dangerous because that's when it could be that they then drop the ransomware that gives them the the extra bonus money if they didn't get the crypto miner deployed. Right? So so I'm not saying it's a good thing, but it is also something we need to be just, you know, conscious of how we approach it, I think, is the key part. Yeah. So we track two specific metrics that help us understand the start of attacks. One is initial access, which is how the attackers got in, and the other is root cause, which is why that worked. Root causes for the past two years have been led by compromised or stolen credentials, followed by exploiting vulnerabilities. Oregon, we've seen some high profile breaches this past year involving compromised credentials. I'm thinking about the snowflake incident as well. There's there's some compromises of Atlassian cloud credentials. And it seems that a lot of that is driven by Infostealers. How do all these breaches and by extension, all the stolen credentials floating around inform your team's activities? Yeah. I think the sheer volume of credentials being harvested and traded through infosteeler malware has created a very wide attack surface. Often, we see threat actors actually choose which organization to target based on the compromised credentials that they have access to or that they're able to buy from cyber criminal forums. And as an you know, even more than that, even months after, you know, an initial infection, we can see the same credentials resurface in new attacks, sometimes completely disconnected from the original compromise. So the threat is multifaceted here. And for that reason, in NDR, we treat credential misuse as a primary threat vector. And as a result, we do things like monitor for suspicious authentications tied to infosealer logs. We try to track usage patterns against known abused services like VPNs or RDP, and we try to, like, correlate login activity across customer environments. And this context really allows us to identify when legitimate credentials are being used maliciously, with the goal of doing that often long before ransomware or other types of malware payloads are being deployed. And I think the high profile breaches that you mentioned highlight just how porous the credential landscape has become. And that's why threat intel on info stealer campaigns, on dark web credential dumps, and cloud access patterns directly feeds into our detection and our hunting strategies. We're watching for not just how adversaries exploit that stolen access, but also where it came from as well. Yeah. So that that would be a bit of a you see, you mentioned sort of threat or info stealer intelligence, a bit of a plug for news.sophos.com where we report on a lot of this stuff that your team and everybody else finds. Hillary, obviously, compromised admin credentials are really concerning. But are there other compromised credentials that can be just as damaging in the hands of an attacker? Yeah. So there there definitely are a number of other credentials that are equally as damaging as well. I think one of those, specifically being, service account credentials. And so very similarly to admin accounts, service accounts also have very high privileges and have widespread access to sensitive data and sensitive systems as well. And on top of this as well, they're often monitored a lot less as they they can be automated. And because of this as well, sometimes, there's no MFA applied to them. So they are high risk, and also high reward for attackers as well and in terms of compromising those credentials. There there's a couple examples and I think we do often see within MDR incidents. One of those being service accounts and running backup tools. So Veeam service accounts, backup exec, as well as Commvault service accounts as well. The Veeam service account is one we do see fairly frequently, and this account has very broad access to backup infrastructure, virtual environments, as well as network file shares as well. So we often see threat actors compromise this account and dump Veeam credentials and then they have access to the the VIN database, which can allow for x fill and and data manipulation as well. So yeah. That one is is very critical, to ensure there's frequent password rotations and frequent audits as well. We see similarly as well with the the SQL Server service account too, which again similarly has access to very critical data and has elevated privileges. And, yeah, the the other, credentials that I want to mention as well, I think, Morgan brought it up there, but it's, VPN credentials and other credentials for, remote access as well, which again is something we see frequently and, is very damaging to customers as well. So when MFA isn't enforced on the VPN, attackers can brute force. And if successful and the TA lands in the domain, they can easily move laterally and escalate privileges. And, yeah, we see this more frequently, with even higher risk, with customers who have VPN user misconfigurations, often have the domain user group nested within the VPN users. So yeah, we we do see that. And if there's, unintentionally a domain admin, account nested within that VPN access group, any successful brute force, into that group means that the threat actor immediately can move laterally with, elevated privileges already. So that is something we have been seeing more frequently as well. So ensuring, those VPN credentials are protected, and as well as those service accounts as well, I think, is is also critical. Yeah. You so you mentioned MFA, which is a nice segue because MFA was unavailable in sixty three percent of the cases we investigated this year. And this is once that that we really didn't see any meaningful difference between MDR and IR. Now it's not a big secret that phishing resistant multifactor authentication can have a massive impact on an organization's security. But, Chris, what else can organizations do? Now that you've heard what Hillary was saying about all those service accounts, what can you do to strengthen the authentication game? I mean, when I when I saw that when I read this in the report and I saw this stat, I had this mixed sort of emotions of, on the one hand, being completely, you know, Jack's complete lack of surprise. At the same time, just so sad that we're still dealing with this as an issue, and and it is it is a real it is a real issue. Right? Like, as in, and and I wanna call out that this is hard. Right? Like, it is so hard to lock down authentication from a from a kind of BlueJeans perspective because, you know, I've worked in in these fields before where I've been looking at the at the data and doing security research and saying, it's really simple, folks. Just make MFA available. It's super simple. Just turn it on. Right? But but then when you're actually at that kind of, you know, at that end of the the sort of sphere where you're actually sort of like, right now, I've gotta change the user behaviors of potentially thousands of people in my organization to now you've gotta do this extra thing every day when you log in in the morning. That's actually a really challenging, like, business change process to kind of, you know, instigate. That's something and I and I'm not suggesting this isn't a reason why we shouldn't do this. I'm just saying it's hard. And, actually, you know, there's there's a part of this where we're kinda like, hey. Is this technology not been around for a while? Should we not be doing this already? There's another part of this which is just like, I'm really sorry, but but doing it at this scale for for the kind of scale that, you know, we and a lot of our customers will be dealing with, it's actually a difficult, like, ask. But but, ultimately, that's something that we've gotta work, and we've gotta improve that somehow. And whether that's about getting, you know, better workflow processes for MFA, you know, that could be something we could do. And, I mean, passkeys, obviously, are now becoming like the the sort of, like, technology technology du jour, and I think that's something, you know, for a good reason because a lot of what we've talked about there in terms of the, you know, risks, you know, for example, like Hillary mentioned, service accounts, which are hugely prevalent in organizations, you know, all over the place for automation purposes, will only become more prevalent as AI starts become a thing and we automate a whole bunch more stuff away. We need to start using public key encryption capabilities a lot more than we are doing, and so passkeys will be a great way to do that. This is something that we can do a little bit more safely and a little bit more securely. We don't require that MFA. And by the way, MFA, as we've suggested, is already quite compromisable. Like, ultimately, you know, in theory, that that f net factor is something that is, you know, secure. But as we've seen, we've just basically introduced another attack surface, you know, someone getting onto your phone and and being able to read your one time password through your SMS system or something. So so moving to something like pass keys where that isn't, you know, where we well, it's there's always arguably the private key is now potentially vulnerable, but, like, you know, it's it's it's a better technology. It's a better way of moving forward. That's something we've gotta start working on a bit more. But it's hard. You know? Like, this is this is hard. This is about enabling users to do what they wanna do, and the actors are leveraging that. That's that's smart. Right? And that makes it a more challenging prospect for us. But we've gotta push those technologies. And where those technologies don't work, we've gotta come up with really good detection engineering capabilities to start spotting, you know, the presence of the abnormal and the absence the normal in that process too. But that's a whole other I could talk talk for hours on that topic as well. And and I know that This is this is a hard problem. In a sense, I'm really sad that it's still here, but I get it. Like, it's it's a tough one. Yeah. Yeah. And that's so that's where defense in-depth comes in and there's there's lots of I mean, nobody said security is gonna be easy. Right? And and, you know, getting away from knowledge based yeah. Getting away from knowledge based multifactor authentication, I think you mentioned pass keys and, you know, I've got I've got, like, five unique keys around me here. So Yeah. And that's important. Right? So I wanna circle back on the key finding and look at the second most prevalent root cause, which is vulnerabilities. And a a few recent threat reports that I've read, including our own Sophos twenty twenty five threat report pointed to edge devices as being material in attacks, specifically vulnerable edge devices. And the kicker is that many of these vulnerable devices actually had a patch available for them, some for as long as a year. So, Morgan, how do known vulnerabilities figure into the work that your team does? And, you know, I think it's probably gonna be a little bit more like this Infos dealer stuff. Right? Right? Yeah. I think I mean, you hit it on the head there. Unpatched edge infrastructure is still one of the most frustratingly common weak points that we deal with, other than compromised credentials. And as a result of that, our threat hunts really try to prioritize those known exploited vulnerabilities, especially for Internet facing devices like VPNs or things like file transfer software. So when there's a vulnerability or a CVE that's actively exploited in the wild, especially one that's been known to be used by ransomware affiliates, we often try to pivot our threat hunts and our detections towards those exploits immediately. And part of our role in MDR is, continuously updating detection rules and advising customers on the most at risk software or applications in their stack. So even if a patch has been available for a year, attackers know quite well that many organizations lag behind. And attackers even use things like vulnerability scanners to find organizations with vulnerable edge devices. So we try to use threat intelligence on, you know, up and coming vulnerabilities to help close that gap. Yeah. Quick plug for managed risk. If you haven't done an external surface attack surface scan, I think you should probably go ahead and and do that now. The third most common root cause was actually brute force attacks against external remote services, against these edge devices. I know after having read hundreds of case reports, Hillary, that your team sees this quite frequently. What kind of tips do you have for organizations to ensure they're they're not falling victim to this particular attack? Yeah. No. Britforce definitely is, a big pinpoint for MDR incidents. I think it's, definitely what we identify as root cause in more than half our incidents is a brute force attacks against the VPN. And more often than not, those don't have MFA enabled. So, yeah, I think the number one tip here would be, to ensure MFA is enabled for all VPN users. I know Chris just mentioned some of the the difficulties in implementing that sometimes within an organization. But, yeah, we would definitely recommend to to get ahead of that and implement MFA before it's too late. Don't be looking at that retrospectively once a successful brute force attack has already happened. So yeah. I look to do that ahead ahead of the game. I think the other common brute force attacks we also see are just against, exposed RD web access portals as well, which are available publicly. Again, these often, if if we see successful attacks, don't have MFA enforced. So again, ensuring MFA is enforced there as well. And I think the third one we do often see is a brute force against remote desktop servers as well. Again, we we often see customers with, RDP ports, publicly exposed to the Internet as well. So just taking action to do simple things, like restricting public access to to RDP ports, and other other, services such as SSH, and FTP were were applicable as well. Definitely would, reduce the chances of brute force, fairly significantly as well. So, yeah, there are difficulties around that. But if those, can be actioned, I think it would it would make a huge difference in in the attacks that we're seeing within MDR as well. Yeah. So it kinda seems to be like MFA, especially on the outside external services, is really just a must have these days. Something that both initial access and known causes have in common is, unfortunately, unknown category, and this is largely driven by missing telemetry. So I said we'd be getting the logs. In 2024, '40 '7 percent of the cases we investigated were missing logs. The reasons were varied. Sometimes the attackers cleared the logs, sometimes ransomware encrypted them, but we also saw cases where they were either insufficient or not configured at all. So, Chris, what can our organizations do to make sure that they have all the telemetry they need to not only detect early, you know, that getting a zero thing, but also reconstruct an attack after the fact to understand how to prevent another one. Yeah. Yeah. No. And and that's that's a that's another really tough one. Right? Like, I think this is this is one of those ones where if you if you knew where all the logs were and you could get them all, then this would be a very, very simple problem. And and, generally speaking, this is a very complex problem. You know, we're not just dealing with one or two tools here. We're dealing with the myriad of, you know, various different, you know, SaaS apps that people use in business nowadays. Some people have their entire HR systems run-in cloud environments nowadays as well. It's very, very normal. It it wasn't that way a couple of decades ago. And even getting logs for your own tools that you have full control over is is tough. You know, so so trying to get that from a third party application, you you know, hopefully, they're in a format that you can use. You know, this is this is a really challenging prospect for anyone anyway. When you add into that, you deal with operational environments. You know, for example, as we do, we deal with a lot of our own products and, you know, having to kinda, like, get logging from our own tooling as well. You know, our engineers are fantastic. They do a great job, but they're not writing logs for our use case all the time. Right? So we need to find ways of not only normalizing, you know, the logs for a network edge point, you know, endpoint, as you sort of mentioned, you know, our network edge devices, we need to get logs from there, but also we can correlate with our kind of internal corporate, logs, for example, which is a challenge. These are these are very difficult data driven challenges. Approaching that from a data perspective really, really helps, you know, coming at it from the perspective of saying, like, right, you know, let's make it very, very easy to get logs into our kind of, like, wherever our log analysis capability is. It sounds really silly, but actually that ETL step needs to be as simple and low friction as possible to make that happen. Try and make it self-service where you can and make it so that people can give you logs rather than you having to go and get them. Right? But but, you know, little things like that will really, really help with that process. Make sure you've got a good normalization process as well. Consider what schema you want to normalize into. If you can standardize it, do that because there will be other standards as well that, you know, where you'll be able to kind of, like, get some, like, you know, quick wins there if someone else is using a similar sort of format as well. And as you mentioned, you've gotta test it, you've got to drill it, you've got to have that, yes, you want to reconstruct these attacks, but even just very simple tabletops, right, it doesn't have to be a full technical implementation to reconstruct. It can just be a simple case of right. We would if we were hit in this part of the business tomorrow, would we be able to respond? It actually is a very short thought experiment to sort of say, like, well, I'd need these types of logs, and I'd need these fields in these logs. Right? It's not just about having the logs, but having the right logs. And then you suddenly realize, oh, yeah. We don't have that. We should probably do something about that. And try and get someone else to write those scenarios for you, not your own team. And that sounds really silly. It's not necessarily that you're gonna, like, make it easy on yourselves, but it's that extra viewpoints, that diversity of thought that will help you arrive at those decisions as well. And and and on that point, I just wanna, like, touch on something that we were talking about earlier as well around those network edge devices and the fact that these things don't get updated, you know, that regularly. This is a problem that everyone has. Right? You you buy a a network and and a network edge device. You put it in the rack, and you kinda leave it there. You don't tend to think about updating it that often. You know? How many of us have a home Wi Fi router at home? How many of us have been on that and, like, tried to update it manually? You know? You just kind of expect it will get updated either by the people that maintain it and that run it, or they don't, and they'll be fine. Right? It's it's something which is it's it's a relatively new concept that we're starting to move into this area of, like, oh, we need security coverage for those too. We need logs for those too. We need telemetry for that too. That's something which also brings a lot of privacy concerns with it, and rightly so. This is a new technology that we're starting to kinda get get more visibility into. And that's only gonna keep growing as we find more and more reasons to get these logs in that we can start doing better and better analysis on it. So, yeah, it's it's, make it as low friction as possible. Try and do the best job you can. Test yourself and push yourself through it. But, like, be ready for this to continue to get more and more important as we start to a new you know, really illuminate where all these actors are going. They're gonna start getting into places that you never thought they could before, and you're gonna need Vauxhall. Yeah. And then often in those logs, you find things like living off the land binaries or law bins. Right? And these are tools that are found natively on Windows operating systems. And in '20 well, '20 yeah. 2024 last year, we saw a 126 increase in the number of unique tools being used by attackers over the previous years. We also saw commonly abused tools like AnyDesk, SoftPerfect Network Scanner, rclone, and many other legitimate tools, that also continue to be favorites among attackers. And, Morgan, we've seen Cobalt Strike decline, at least in our telemetry, from 48% of 2021 to only 8% of 2024. Why do you think that is? Yeah. I think Cobalt Strike's decline is a really classic case of detection pressure shifting attacker behavior. So as Cobalt Strike abuse by threat actors just blew up a few years ago, defenders got really good at detecting its signatures, like Cobalt Strike c two servers, fingerprints, and watermarks. And that makes it much more difficult for attackers to use it undetected. Nowadays, most defenders have detections tuned specifically to Cobalt Strike's beacons and post exploitation payloads. So while it is still used in some targeted cases, it's no longer the go to for many attackers, especially those who are trying to stay under the radar. Instead, you know, we're seeing a shift to other post exploitation and pin testing tools like Brute Retell or Sliver or even custom frameworks. But most commonly, we're seeing attackers fall back on what blends in the most, legitimate tools and, as you said, living off the live living off the land binaries or Vulvins. That's easy to say. Right? Yeah. Now in contrast to Cobalt Strike, Hillary, the use of Impacket has been on the rise, and it took the top spot of abused tools where it was used in thirty five percent of cases this past year in our data. Now what is it about Impacket that made it the go to tool for many attackers last year? Yeah. So we we see a lot of, use of Impacket tools within MDR incidents. And it's often our first detection or first indication of compromise. We'd be looking at sort of top detections with our incidents, and it very often comes out in the the top five, detections triggering within our incidents as well. So, yeah, we we tend to see it being used. We see a number of the tools like SecretStump, WMIExec, SMBExec, and ATExec as well. And these tools are used for, various things such as credential dumping, lateral movement, and to perform enumeration from remote systems and also to execute code remotely as well. So I think I think because of this, this is one of the reasons that these tools are are becoming favorable for attackers. The impacket toolset is very versatile and has, multiple uses as I've just mentioned there. It can be leveraged, for for a number of outcomes as well. So, yeah, like I said, lateral movement, credential dumping, I think secret stump is probably, the most common, in packet tool that we see leveraged. The other thing about in packet tools as well as, they're often considered fail less, in the sense that they don't necessarily drop binaries, on the target or the victim machine specifically, which can be quite appealing for attackers, for defense defensive agent purposes, and just to reduce the the chances of detection there as well. The other thing as well we see we do see in packet tools used legitimately for administrative purposes, quite often. So this is is another, I guess, appeal for attackers in leveraging these tools as they can sort of hide amongst, legitimate admin activity and aren't necessarily always flagged if, if an organization does use that legitimately as well. They can sort of hide and evade defenses that way by leveraging new the impact of tools. That's actually so you learn something every day. I didn't know that people were actually using Impacket for, you know, for administrative purposes as well. And so, Morgan, circling back, you know, why are some attackers preferring logins over, let's say, some of these other tools like Cobalt Strike, like, you know, Brubital Sliver, whatever? Yeah. I think Lobins and they offer invasion by design. They're oftentimes built right into the operating system. They're legitimately signed, like, by Microsoft. They don't trigger the same alarms as third party tools like Cobaltreex. So from a threat actor's perspective, using tools like PowerShell, like PS exec, or even run d l l 32 allows them to have the same capability while masking it under the guise of legitimate behavior. So they also reduce an attacker's footprint. There's nothing to drop. There's nothing to compile. There's less risk of getting caught during execution. So for defenders, that kind of raises the bar. Now we need to detect abuse of legitimate tools based on the behavior and how they're used, not just the binary. So that makes things more difficult from a defender's perspective and thus more attractive from an attacker perspective. Yeah. That that signing thing, right, that kinda gives us the imprimatur of legitimacy. And then, Hillary, are there I'm thinking, you know, to your side of things when you're analyzing, when you're looking at escalations. Are there any specific of all bins that you're seeing being used in ways that defenders should really be watching out for? Are there specific ones out there that you're like, oh, when you see that, like, look out? Yeah. So I think I guess, with the sort of common use of RDP and PowerShell, we see a lot of, logged in use in MDR incidents for discovery and for enumeration purposes. So we very commonly see the use of whoami, IP config, and NECMANS as well-being run. I think the main one that we do see and is less, associated with false positives is probably the use of NL test. So we very commonly see threat actors execute NL test to enumerate trusted domains. That's something that gets flagged within MDR and often leads to us discovering an incident and and then reviewing initial access as well. So I think NL test is a big one that we do see very frequently and just at the earlier stages of the attack. The other one as well with that, I think it was mentioned in the active of adversity report this year, was the use of notepad. So I think that was in in the top 10 for the for the first time. And we often see threat actors using notepad to to browse files on the network as well as including looking at, files that are containing plain text passwords, which happens a lot more frequently than than you'd like to think. We do often see, yeah, passwords stored in plain text, including admin passwords and service account passwords as well. And that is is quite a quick way for threat actors to then elevate privileges, just from accessing, text files. So, yeah, there's definitely interesting, I think, detection capabilities around that, and the use of Notepad as well as, storing those credentials in plain text as well is something that probably should be looked into as well. Yeah. So when I think about who am I, it's either you got an attacker in your network or you've got a user with an existential crisis on their hands. So protecting against many of these tools seems pretty straightforward. The obviously malicious ones will be locked by your endpoint protection, while the legitimate tools, you know, you can manage those using things like application control. And the problem for a lot of IT admins out there is what do you do about the logins? Right? So a notepad is a really good example. Right? If you click on it on the icon, that's probably legit, but if you're running it from the command line, who knows. Right? And the perennial leaders in this category, you mentioned some of them is, RDP, PowerShell, command dot x, and the whole host of other commonly used and useful admin tools. So, Chris, another easy one. How can you strike a balance between allowing the use of these tools by the good guys and preventing their use by the attackers, especially when we're talking about mall moments? I'm I mean, if you know the answer, let me know. But, like, I I there there there's obviously there there's a lot of thought around this topic. Right? And this is you you we've already just talked about them. Like, actually, genuinely, who does run whoami? Right? Like, who who genuinely wakes up in the morning logged on to their system and runs Who Am I? Maybe, you know, the high end engineers that are running multiple boxes at once that need to identify what box they happen to be running on at moment. That's a very, very thin use case in most organizations I would wager. You know, I think that the majority of corporate users are not using these sorts of commands. And it and it really comes back to you know, we talked about behaviors, right, tracking behaviors. In a in a sense, I was just reflecting on this that, like, you know, we talk about behaviors a lot and we can, you know, espouse the virtues of UEBA or, composite detection logic, which we should all, like, look into for our various different use cases. But, realistically, the thing we're looking for is impact. It's it's what's the impact of that activity having. You know? Because it's the yes. It's the behavior, and should that behavior be, you know, the the kind of thing that that user's doing, but, actually, did it have an impact? Did this person log in and suddenly enumerate the entirety of our I I AI sorry. I'm estate and, like, try and figure out who the admins were. And then when they found someone that had, like, the word admin, like, you know, did, like, an extra step of enumeration on that particular user to find out what that looks like. It it's it's that impact it's that, like, what does normal look like? And it it you know, if you were ever trying to, like, sneak into a nightclub or something, I'm not saying I ever did as a kid, but, like, you know, part of the problem is, like, you get in there and you just try and act normal suddenly all over an instant. You're like, how do I blend in with the crowd? And you you never get it right. Right? Like, that's the thing. Some, like, some people will just, like, try and, like, I don't know, like, do the weird whistling thing and, like, wander off. And again, I never did this, but who knows? There there's there's something here about saying, like, the actor doesn't actually know what normal looks like in your network. They have a certain way of doing things, and they're gonna try and blend in. But there's there's actually ways you can look at that from a spectrum. Like, what what would I do if I was an actor in my estate? What would I then key into? And then look to set those traps in the right places. I think there's things you can do in this space. We need to move away from this idea that, like, you know, IOC is the other way to go. Like, it's in the name. It's binary. Right? It's a hash. We're gonna be able to detect it because it's the hash. It's like, well, that's old thinking. We need to start thinking about how we're actually gonna detect this in the environment we've got. People are gonna get into our nightclub. We need to keep an eye out for the people that are trying to act like they belong. Yeah. And I also think of the, reminder of the Steve Buscemi meme. Right? Like, hello fellow kids. Yeah. Yeah. Right? They'll stand out on the aisle if you look for them. Yeah. So, yeah, knowing normal. Right? That that's to me is is so crucial, and it has been for a long time. To me, this segment lies into remote ransomware because there's kind of a normal aspect to the the file transfers that are occurring in a network on a daily basis. And remote ransomware isn't really new. Right? So it's, but it's grown in our telemetry. It's grown a 41% since 2022. And for those who aren't familiar with remote ransomware, it's it's the term we use when attackers use unmanaged machines to do their daily work. The bad guys still are basically adapting to our tools. And so I guess in a way, it's a testament to our success that they've resorted to abusing, you know, devices where Sophos isn't or can't be installed. Right? And so, Morgan, I know you and your team track a lot of different threat groups out there. And besides remote ransomware, what other kinds of tactics are attackers using today to circumvent our our defenses? Yeah. I think there's many ways that attackers are trying to circumvent defenses other than, you know, using, remote ransomware and taking advantage of unmanaged assets to kind of hide themselves. I think their goals are really to blend in, to avoid logging, and to delay detection until it's too late. And I think one of the major ways they're trying to to blend in to the environment, is by use abusing things like remote management tools, any desk, ScreenConnect, Splashtop, etcetera, you know, and often masquerading as legitimate IT activity. We also see attackers cleaning up their bread trail, clearing their logs, deleting their implants, or even executing their payloads in memory using obfuscation. And in addition to cleaning up the evidence, also one of the larger trends that we're seeing in NDR is the rise of active defense evasion. So tools and techniques specifically designed to neutralize security products before the main payload ever really lands. So attackers are using AV killers like tools that disable EDR agents or disable Windows Defender or even tamper protection features as an early step, you know, post access. And kind of as an extension of that, we're seeing an increase in, BYOV tactics or bring your own vulnerable driver tactics where adversaries deploy known vulnerable drivers and exploit them to disable kernel level protections and blind EDR tooling. So I think moral of the story is it's clear that many of today's attackers are thinking about EDR and thinking about how to disable it from the outset. You know, not as a hurdle at the end of the kill chain, but something to eliminate early on and to evade early on. I think this, yeah, the EDR killers out there are there's an important I think I think it's an important tip out of that, which is if you're using an EDR solution and all of a sudden you see on endpoints using the telemetry that you have that Windows Defender has all of a sudden become active. That should probably a signal that something killed your EDR and you need to go investigate. Remote ransomware doesn't it does most of its damage by base dimensions for leveraging unmanaged devices and also network shares. Right? What kinds of telemetry, Hillary, should organizations watch out for that can give them a heads up that they might have a remote ransomware incident brewing? Yes. I think I think like I said before when we were discussing, dwell time with ransomware, there are a number of, common attacking attaching stages prior to that encryption. A few of the ones I was going to bring up actually just, as Morgan was saying, one of the key things that we're seeing is those AV killers as well. So looking at, defensive evasion tactics, such as clearing logs. Attackers tend to clear logs, and we're seeing a number of binaries, common binaries that are are, used to to kill, AV as well. There's a few other things that we also often see. So looking at enumeration and discovery, so often early on the the execution of advanced IP scanner or NetScanner, are very common tools that we see early on. Again, these sometimes do have legitimate purposes. Some organizations certain users do use advanced IP scanner, for for the network. But having, I think, the the critical application control policies around that as well is pretty critical. And, yeah, just, going on from that is another, key pre ransomware indicator is also, just credential dumping. So looking out for common techniques, LSAS dumping, and also dumping the SAMHives as well. And so looking out for these things as well within the telemetry. And, yeah, just the final one as well. I think, ensuring you're you're, reviewing for, data exfiltration attempts as well. Again, the actors can often leverage, legitimate tools, such as WinRAR, seven Zip, and FileZilla. So looking at activity surrounding that that's it was the norm in the organization, I think is is pretty critical to, ensuring you're you're detecting the the ransomware early on. And yeah. I would say a lot of we do see a lot of that activity on on unprotected machines as well. So sometimes if if that activity, the the device is unmanaged, we really need to, yeah. We cannot detect the earlier stages as well. So, yeah, as you say, ensuring all devices are protected is is pretty key as well. Yeah. So, then what you mentioned about exfiltration really speaks again to knowing your baseline, knowing normal normal. Right? So if you have an idea of what is a normal network traffic day, then all of a sudden if that doubles, then maybe you've got issues. Right? I mean, I I struggle. I I've yet to find a an organization out there that uses mega as online storage. So maybe that's when you might wanna block. Alright. So, Chris, I think this is one that kinda, I think, would keep me up at night. How can organizations and this is specifically to address the unmanaged side. Right? How can organizations reduce or eliminate the exposure from unmanaged and specifically also unmanageable assets in the network that help contribute to the problem of remote ransomware? You know you know, I I I feel like I've said this enough times already, but I'm gonna say it again. It's it's hard. Right? Like, it's it's it's it's a tough thing to do. And, no, it's it's it's really important to call this out. And at the same time, as right as this can be, it it is a it is a problem. I used to be very critical of organizations that didn't have a fully enumerated network map of of all of their assets. And and then when you start actually digging into it, you're like, this is really hard. Increasingly so, it seems like an obvious thing to say, but increasingly so in an environment that continues to be very, cloud heavy. Right? If you start moving into more cloud environments, you inevitably end up yes. It's it's easy to to tear these things down and manage them a little bit better, but it's also very easy to spin these things up. And if you don't have good engineering processes and good IT management processes of just, you know, how people, create new infrastructure. It can pop up all the time, and you want that. You want your organization to be innovative, and you want people to press on and crack on and do things, and you don't necessarily want them to be entirely burdened with having to keep their, you know, test Linux environment, you know, patched with all of the latest bells and whistles when, you know, they're just kinda like devbing up a little, you know, POC for for some internal capability. At the same time, you're absolutely right. These are potentially little ticking time bombs that need to be kinda like thought about and managed. And so I think that, you know, I I think first and foremost, you know, making sure you've got a good relationship with your wider organization is really key. Having this conversation with them is really, really vital. Right? There is threat intelligence out there that says this is a threat. Let's identify, you know, meaningful and, you know, helpful ways to enable our engineers to do what they need to do and enable our IT teams to do what they need to do and and to try and stay as as, you know, supportive and and compliant as they possibly can, but, you know, step one. And that sounds like a really, really basic thing to do, but it is, you know, it's tough and it's something that needs people to work together and and having that collaborative end is is a huge part of it. Security is as much a people business as a technology business at the end of the day. Getting this threat shared with them in a way that means something to them is really, really important. So so so so do that. That that's a that's a big one. That's that's something we need to continue to do. And then on top of that, yeah, absolutely. You know, the technology is there and it's available. One of the great advantages of us being able to use the Sophos tooling is that we have for example, we can use Central as one of our kinda, like, tenant management solutions. This gives us insight into kinda, like, where things are deployed, and we can start to compare that with our wider asset register and understand where there might be gaps and things that we can work on and things that we can improve. But you need to do that constant checking and, you know, do that balance and still see where the diffs are and see how things are kind of, like, stacking up. I think that's really, really key at the end of the day. But most of all, yeah, just make it as easy as possible to do the right thing. I think that's the the most important thing with this. And the way you can do that is just by, you know, really illuminating the threat to people, working with the people that can make that change happen in your business, and just driving it in there and getting it in there. And, yes, that does mean, unfortunately, just having good patch regimes. I know it sounds like really, really, trite advice, but, genuinely, think about what that means to your organization. How do you actually make that meaningful more than just a line on a report? How do you actually drive that change into the business? Go and have those conversations. That's that's the main thing. Brilliant. Yeah. So the the title of this report this year was it takes two because I want to evoke, an idea of, like, you've got you know, you're an expert in your business. We're experts in the threat. Let's bring those together. But you're also talking about within the organization sometimes, you've got business unit experts and other people that can help guide the way that you, protect the organization. Right? So Good, Sam. I'd like to thank the panel today for joining me to dissect the key findings of the 2025 active adversary report. But before we go, I've got one more question for all of you. Bearing in mind some of the findings from this year's report, I'd like to ask each of you to give a really quick, you know, small tip action item that you think can make a big impact on their security posture, ideally something that they can implement quickly and easily. And we'll go in reverse order, so we'll start with you, Chris. It's it's it's gonna be a really simplistic one, but I mentioned pass keys earlier. I I still can't get that MFA metric out of my head. What was it? 63%, where MFA was unavailable. You know, pass keys exist. There is there is better technology available to manage authentication now that doesn't require you to break users' workflows. It it doesn't satisfy your criteria of being easy to implement. I will say that. But, hey, go go look it up. It's a technology that exists. Most, you know, applications will support it, if not all, nowadays. Definitely go, like, you know, push your vendors to see if they're using passkey. That's something really valuable as well. I know it's something we're interested in. You know, we we we do that quite well at soft office, and I think if there's gaps, we'll always push to do more as well. So, you know, yeah, I would I would strongly encourage you to look at that. Yeah. That's a good one. I agree. And Hillary? Yes. I think my number one tip initially was going to be, ensure MFA is enabled. But maybe, as Chris said, maybe pass keys is actually the way forward. So yeah. If, I would say ensure MFA is enabled if possible, and also ensure all assets are protected as well. Because, yeah, as we say with the remote ransomware, we often see that coming from an unmanaged device. Yep. And finally, Morgan. Yeah. I think, you know, I was actually gonna say it. I'm afraid as well. That's the There's a bit of a fear here somewhere. It's You know, I think that's the thing that, you know, a lot of people just don't do. So, but I will pivot a little bit. I'll say, like, one of the simplest yet most impactful things that organization to do, I think, is to audit for and remove unauthorized remote access tools. You know? The report showed frequent abusive tools like AnyDesk, ScreenConnect, TeamViewer, other types of legitimate RMM agents. Also, the threat intel team, we're tracking, nearly 70 different tools that are abused, for remote access. And, you know, they're often installed by attackers pretty early on in the intrusion to establish persistent access. So, you know, the good news is that this is something that organizations can act on pretty immediately. The tools are pretty easy to miss especially in environments with decentralized IT or unmanaged endpoints, but setting up application control for new installs of remote access software and validating that every instance has a legitimate business case is a very fast, very effective step. I think that closes off a major avenue for hands on keyboard attacks. Yeah. It's a great point. I think, you know, most most organizations don't have that many. They use one or two. Some I've seen some that use, like, five or six, but this is a quick win. Right? Just block everything else you don't use and it kinda like you're burning down the haystack. You can find that new lot quicker if you're only looking for two different things as opposed to seven or more. Right? So I encourage everyone to go head on over to sophos.com/activeadversary to read this year's report. It's packed with even more stats and insights that, can hopefully guide your defender journey. And then for more information about how MDR can help you defeat cyber attacks, go to sophos.com/mdr. So that's all from us today. And until next time, stay secure.