MDR, Ransomware

MDR vs IR: Key gaps in cyber readiness and what to do about it

The latest Sophos Active Adversary Report reveals a critical divergence in outcomes between organizations using managed detection and response (MDR) services and those relying solely on incident response (IR).

The 2024 dataset, drawn from 413 cases across 32 industries and 57 countries, shows that ransomware—once the dominant threat—has fallen behind network breaches among MDR customers. While ransomware still led IR cases at 65%, it was only the third most common threat type among MDR engagements (29%).

That shift points to MDR’s advantage in faster detection and response. Median dwell time for MDR cases was just one day, compared to seven days in IR-led investigations. Notably, in ransomware cases, MDR cut dwell time nearly in half—3 days versus 7 . Faster detection also correlates with a higher rate of aborted ransomware attacks or mitigated lateral movement, suggesting MDR may not only contain breaches but prevent full execution of an attacker’s playbook.

Despite these gains, root causes remain depressingly familiar. Compromised credentials accounted for 41% of intrusions, and MFA gaps continue to haunt organizations: 66% of IR cases and 62% of MDR cases involved missing or misconfigured MFA.

Old tools, new pain: Attackers exploit familiar weaknesses

The report also highlights a persistent abuse of “living-off-the-land” binaries (LOLBins), with a 70% overlap in tool usage across MDR and IR cases. Microsoft tools like RDP, PowerShell, and Notepad remain favorite vehicles for lateral movement, file dumping, and credential theft. Notably, use of the Impacket toolset surged to over 21% in cases—triple the rate seen in 2023 .

The findings raise concern over endemic infrastructure and procedural failures. Nearly 40% of breached organizations were running unsupported operating systems, and 40% had unprotected systems altogether. Sophos warns that even well-managed environments are vulnerable when business processes fail to align with technical security controls.

The takeaway: Attackers aren’t necessarily innovating faster—they’re exploiting the same systemic weaknesses. As the report puts it, success often hinges on whether defenders “act quickly and decisively”—or repeat the same mistakes attackers are betting on.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BackdoorBlack HatBotnetBrute ForceDNS SpoofingDeauthentication AttackDeepfakeDictionary AttackDomain HijackingDumpSec

You can skip this ad in 5 seconds