In order to offer a current view of the threat landscape, Sophos publishes Active Adversary Reports several times a year.\n\nThe most recent data, published just weeks ago, covers the first half of calendar year 2023 and is aimed at tech leaders. Tech leaders, as the people responsible for operationalizing security strategy, need the most up-to-date information available in order to determine how best to deploy their team\u2019s time and resources for defense.\n\nHere are the key takeaways from this latest iteration of the report to help bolster your organization's security posture.\n\nThe changing face of initial access techniques\n\nThe initial access point is often where adversaries strike first. According to Sophos researchers, \u201cExternal remote services\u201d topped the list of initial access techniques, followed closely by \u201cExploit public-facing applications.\u201d Tech leaders need to be aware of these common entry points and prioritize the security of external-facing services and applications.\n\nValid accounts and compromised credentials\n\nIn a majority (70%) of cases, adversaries combined the abuse of valid accounts with external remote services. This highlights the significance of monitoring and securing user accounts, especially those with privileged access. The report further reveals that compromised credentials accounted for 50% of root causes, underscoring the critical need for robust authentication and access controls.\n\nThe MFA conundrum\n\nMulti-Factor Authentication (MFA) is a well-known cybersecurity best practice. However, the report reveals that MFA was not configured in 39% of the cases investigated in 2023. Researchers note this is concerning because the cybersecurity industry recognizes MFA as a potent defense against unauthorized access. Tech leaders must prioritize the implementation of MFA to protect their systems effectively.\n\nReduced dwell time\n\nDwell time for attackers is down across all types of attacks, shrinking from 15 to 10 days. The dwell time in ransomware attacks is down from 11 to 9 days.\n\nThis trend could be good and bad news. Shorter dwell times can signal that criminals are executing on attacks sooner. But it may also mean defenders are doing a better job of detecting nefarious activity. \n\nPatterns in attack timing\n\nThe report uncovers intriguing patterns in the timing of cyberattacks. A significant 61% of attacks occurred in the middle of the workweek. Ransomware attacks followed a similar trend, with 62% taking place mid-week. However, an interesting spike in ransomware attacks was observed on Fridays, with nearly half (43%) of such attacks occurring on Fridays or Saturdays. Moreover, most (81%) ransomware payloads were deployed outside of traditional business hours.\n\nRDP's pervasive role\n\nRemote Desktop Protocol (RDP) continues to be a favored tool for cybercriminals, featuring in an astounding 95% of attacks. The report notes that RDP was predominantly used for internal access and lateral movement (77% of incidents), reflecting a notable increase from 2022. While external RDP use decreased, it remains a concern, with 18% of cases involving external access.\n\nDominance of ransomware attacks\n\nRansomware is still a massive problem. The report indicates that ransomware attacks accounted for 69% of all attack types. LockBit maintained its top spot in the first half of 2023, handling 15% of cases, followed closely by BlackCat (13%), Royal (11%), and a three-way tie between Play, Black Basta, and CryTOX (7%). Tech leaders should remain vigilant against the persistent threat of ransomware and take proactive measures to protect their organizations.\n\nKnow what to prioritize\n\nAs the cyber threat landscape becomes increasingly complex, tech leaders must arm themselves with knowledge and insights to protect their organizations effectively. By staying informed and implementing the necessary security measures, tech leaders can fortify their defenses and mitigate the risks posed by today's sophisticated adversaries. Learn how Sophos can help guide your efforts at Sophos.com.