



After analyzing Sophos Incident Response (IR) cases from January to July 2023, Sophos X-Ops found that median attacker dwell time (the time from when an attack starts to when it's detected) shrunk from 10 to 8 days for all attacks, and to 5 days for ransomware attacks. In 2022, the median dwell time decreased from 15 to 10 days.

In addition, Sophos X-Ops found that it took on average less than a day-approximately 16 hours-for attackers to reach Active Directory (AD), one of the most critical assets for a company. AD typically manages identity and access to resources across an organization, meaning attackers can use AD to easily escalate their privileges on a system to simply log in and carry out a wide range of malicious activity.

The dwell time for ransomware attacks also declined. They were the most prevalent type of attack in the IR cases analyzed, accounting for 69% of investigated cases, and the median dwell time for these attacks was just five days. In 81% of ransomware attacks, the final payload was launched outside of traditional working hours, and for those that were deployed during business hours, only five happened on a weekday.

The number of attacks detected increased as the week progressed, most notably when examining ransomware attacks. Nearly half (43%) of ransomware attacks were detected on either Friday or Saturday.

The Sophos Active Adversary Report for Tech Leaders provides security professionals with actionable threat intelligence and insights to better operationalize their security strategy.

The Sophos Active Adversary Report for Business Leaders is based on Sophos Incident response (IR) investigations spanning the globe across 25 sectors from January to July 2023. Targeted organizations were located in 33 different countries across six continents. Eighty-eight percent of cases came from organizations with fewer than 1,000 employees.