Sophos, a global leader in innovative security solutions, has released the Sophos Active Adversary Report for the first half of 2024.
The report, which analyses more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023, found that cybercriminals abused remote desktop protocol (RDP)—a common method for establishing remote access on Windows systems, in 90 per cent of attacks.
This, according to the report, is the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020.
In addition, external remote services such as RDP were the most common vector by which attackers initially breached networks; they were the method of initial access in 65 per cent of IR cases in 2023.
External remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020, and defenders should consider this a clear sign to prioritise the management of these services when assessing risk to the enterprise.
Analysing the report, Field CTO at Sophos, John Shier, said: “External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”
