Sophos XDR detected 100% of adversary behaviours (sub-steps)¹ across two complex attack scenarios: Scattered Spider, which Sophos X-Ops tracks as GOLD HARVEST, a financially motivated cybercriminal collective, and Mustang Panda, which Sophos X-Ops tracks as BRONZE PRESIDENT, a People’s Republic of China (PRC) espionage group.

The Scattered Spider scenario included activity across Windows, Linux, and AWS cloud environments, and the Mustang Panda scenario focused on Windows only.

Further, Sophos achieved the highest-possible “Technique”-level rating for 86 out of 90 total sub-steps in the evaluation, by generating high-fidelity detections with details on execution, impact, and adversary behaviour, providing clear who, what, when, where, how, and why insights.

Sophos XDR achieved:

• 100% detection coverage¹ for all 90 adversary sub-steps across two complex attack scenarios across Windows, Linux, and AWS cloud environments

• Highest possible (“Technique”) ratings for 86 of 90 sub-steps, demonstrating deep visibility and actionable detections

• Highest possible (“Technique”) ratings for 61 out of 62 of sub-steps in the Scattered Spider scenario involving identity abuse, cloud exploitation, and data exfiltration

“Scattered Spider and Mustang Panda represent distinct threat profiles that challenge defenders in very different ways,” said Simon Reed, chief research and scientific officer, Sophos. “Achieving full detection coverage against both validates the accuracy and depth of Sophos’ analytics and demonstrates how the company’s AI-native XDR platform converts complex telemetry into clear, actionable intelligence, helping security teams detect, understand, and stop advanced attacks with confidence. Sophos’ consistently strong performance in these rigorous evaluations underscores the power and precision of our threat detection and response capabilities, and our commitment to stopping the world’s most sophisticated cyberthreats. Over the five years that Sophos has participated in ATT&CK Evaluations, we have continually invested in strengthening our platform, and that investment has translated into stronger results year after year – both in the evaluations, and in the security outcomes we deliver for our customers.”

These results demonstrate the power of the Sophos XDR platform to defend against sophisticated cyber threats. Every day, Sophos processes 223+ terabytes of telemetry in Sophos Central, generating 34+ million detections and automatically blocking 11+ million threats.

This scale of customer insights ensures that Sophos’ detections are being tested and improved to provide continuous protection while delivering stronger outcomes for organizations worldwide.

Understanding The Threat Actors

Sophos X-Ops has tracked GOLD HARVEST (Scattered Spider) since 2022, observing a loosely affiliated cybercriminal collective driven by both financial motives and a desire to elevate their reputations on underground forums.

Despite several arrests, operators and associates continue to launch high-profile attacks across the U.K. and U.S., at times partnering with major Russian-speaking ransomware groups.

Their sophisticated social engineering capabilities enable them to compromise even well-defended organizations, underscoring the importance of strong behavioural detections within modern security operations.

In parallel, Sophos X-Ops has monitored BRONZE PRESIDENT (Mustang Panda) for many years.

This long-running PRC espionage group conducts intelligence-led operations that align closely with priorities of China’s Ministry of State Security. Recent targeting includes activity against Tibetan communities surrounding the Dalai Lama’s 90th birthday, as well as intrusions on Thai government and military offices during periods of heightened regional tension.

BRONZE PRESIDENT remains one of the most active and persistent state-aligned threat actors operating today.

MITRE ATT&CK Evaluations are among the world’s most rigorous independent security tests.

They emulate the tactics, techniques, and procedures (TTPs) used by real-world adversaries to assess each participating vendor’s ability to detect, analyze, and articulate threats in alignment with the MITRE ATT&CK Framework.

These evaluations continually strengthen Sophos’ capabilities for the benefit of the organizations it protects. This was the seventh round of MITRE’s “Enterprise” ATT&CK Evaluation, a product-focused assessment designed to help organizations better understand how security operations solutions like Sophos EDR and Sophos XDR can help them defend against sophisticated, multi-stage attacks.

When evaluating EDR or XDR solutions, Sophos recommends reviewing MITRE ATT&CK Evaluations alongside other independent proof points.

Sophos, a global leader of innovative security solutions for defeating cyberattacks, has released the results of Sophos X-Ops research on a new type of threat: quishing.

This new attack vector involves the use of fraudulent QR codes, emailed by threat actors, to bypass the phishing security measures put in place by companies.

This fraudulent QR code, embedded in a PDF document attached to an email, takes the form of a message about payroll, employee benefits, or other forms of official paperwork a business might send to an employee. Because QR codes are not readable by computers, the employee must scan the QR code using their mobile phone.

The QR code links to a phishing page, which the employee may not recognize as malicious since phones usually are less protected than a computer.

The goal of the attackers is to capture employees’ passwords and their multi-factor authentication (MFA) tokens in order to access a company’s system by bypassing the security measures in place.

“We spent a considerable amount of time sifting through all the spam samples we had to find examples of quishing,” comments Andrew Brandt, principal researcher at Sophos X-Ops. “Our research has revealed that attacks that exploit this specific threat vector are intensifying, both in terms of volume and sophistication, especially when it comes to the appearance of the PDF document. »

In addition to social engineering tactics, the quality of emails, attachments and QR code graphics, these attacks seem to be growing in terms of organization as well. Indeed, some malicious actors now offer as-a-service tools to run phishing campaigns using fraudulent QR codes.

In addition to features such as CAPTCHA bypasses or the generation of IP address proxies to bypass automated threat detection, these criminal organizations provide a sophisticated phishing platform that can capture the credentials or MFA tokens of targeted individuals.

To encourage organizations to better protect systems against this type of attack, Sophos X-Ops shares a list of recommendations:

• Be vigilant about internal emails about HR topics, salaries or company benefits: Sophos X-Ops’ research has found that social engineering tricks exploit these themes to trick employees into scanning fraudulent QR codes from their mobile devices.
• Install Sophos Intercept X for Mobile : Available on Android, iOS and Chrome OS, this solution includes a secure QR code scanner that helps identify known phishing websites and alert if the URL is considered malicious.
• Monitor risky sign-ins: Using identity management tools, organizations can detect unusual sign-in activity.
• Enable Conditional Access: This feature helps enforce access controls based on the user’s location, device status and risk.
• Enable effective access monitoring thanks to sophisticated logs: this type of advanced monitoring allows you to better visualize all access to the system and detect this type of threat in time.
• Implement advanced email filtering: Sophos’ QR code phishing protection solution detects fraudulent QR codes included directly in emails and plans to expand its solution to QR codes in attachments as early as the first quarter of 2025.
• Leverage on-demand email retrieval: Sophos Central Email customers who use Microsoft 365 have this feature to eliminate spam or phishing emails from corporate emails.
• Encourage employees to be vigilant and report incidents: Prompt reporting of anomalies to the incident response team is essential to protect company systems from phishing.
• Revoke suspicious user sessions: It is imperative to have a plan in place to revoke user access that shows signs of compromise.

Despite the continuous development of new attack vectors, organizations can protect themselves from compromised systems by equipping themselves with the right tools, fostering a culture and work environment, and surrounding themselves with security vendors that, like Sophos.

Sophos details these advanced sha zhu pan operations (also known as pig butchering) in the article, “Cryptocurrency Scams Metastasize into New Forms.”

Originating from organized crime gangs in China, the new kits provide the technical components needed to implement a specific pig butchering scheme called “DeFi savings.”

Criminals position DeFi savings scams as passive investment opportunities that are similar to money market accounts, often times to people who have no understanding of crypto. Victims only need to connect their crypto wallet to a “brokerage account,” with the expectation that they will earn significant interest from their investment.

Victims are adding their crypto wallets to a fraudulent cryptocurrency trading pool, which the fraudsters then empty.

“When pig butchering first appeared during the time of the COVID pandemic, the technical aspects of the scams were still relatively primitive and required a lot of effort and guidance to successfully scam victims. Now, as the scams have become more successful and the fraudsters have refined their techniques, we’re seeing a similar evolution to what we’ve seen with ransomware and other types of cybercrime in the past: the creation of an as-a-service model.

Pig butchering rings are creating ready-made DeFi app kits, which other cybercriminals can purchase on the dark web. As a result, new pig butchering rings that are unaffiliated with Chinese organized crime groups are appearing in areas like Thailand, West Africa and even the U.S.

As with other types of commercialized cybercrime, these kits lower the entry barriers for cybercriminals interested in pig butchering and vastly expand the victim pool.

Last year, pig butchering was already a multi-billion-dollar fraud phenomenon; sadly, the problem is likely only to grow exponentially this year,” said Sean Gallagher, principal threat researcher, Sophos.

Sophos X-Ops has been tracking the evolution of pig butchering schemes for two years. The earliest iterations—dubbed by Sophos as “CryptoRom” scams—involved connecting with potential victims on dating apps and then convincing them to download fraudulent crypto trading applications from third-party sources. For iOS users, these scams required victims to download an elaborate workaround that allowed scammers to bypass security on victims’ devices and gain access to their wallets.

In 2022, the scammers continued to refine their operations, this time finding ways to bypass app store review processes to sneak their fraudulent apps into the legitimate App Store and Google Play Store.

This was also the year that a new scam pattern emerged: fake cryptocurrency trading pools (liquidity mining).

In 2023, Sophos X-Ops uncovered two vast pig butchering rings—one based out of Hong Kong and one based out of Cambodia.

These rings leveraged legitimate crypto trading apps and created elaborate fake personas to lure victims and steal millions from them. Further investigation revealed that pig butchering operators were adding AI to their arsenal.

At the end of 2023, Sophos X-Ops uncovered a vast liquidity mining operation involving three separate Chinese organized crime rings targeting nearly 100 victims.

During the investigation into this operation, Sophos X-Ops first noticed the availability of pig butchering scam kits.

In the most recent pig butchering operations that Sophos X-Ops has investigated, the fraudsters have removed any previous technological impediments, as well as significantly lowered the amount of social engineering required to steal from victims.

In the DeFi savings schemes, victims now engage in fraudulent crypto trading through legitimate, well-known cryptocurrency apps and give (albeit unknowingly) the scammers direct access to their wallets.

In addition, the scammers can conceal the wallet network that launders stolen crypto, making the scams harder for law enforcement to track.

“The DeFi savings scams are the culmination of two years of pig butcherers refining their operations. Gone are the days when the scammers had to convince victims to download some strange app or transfer the crypto themselves into a soon-to-be-stolen digital wallet.

“The fraudsters have also learned how to better ‘market’ their schemes. They’re taking advantage of how liquidity mining pools operate to steal the funds by telling victims it’s a simple investment account. This is often an easier sell, especially since most people don’t understand the ins and outs of cryptocurrency trading and everything is done under the guise of trusted brands.

“In other words, it’s never been easier for people to fall victim to pig butchering, which means it’s never been more important to be aware that these scams exist—and know what to look out for,” said Gallagher.

Tips to Avoid Falling Prey to Pig Butchering

To avoid falling victim to a pig butchering scam, Sophos recommends the following:

• Be skeptical of strangers that reach out via social networking sites like Facebook or texts, especially if they want to quickly move the conversation to a private messenger like WhatsApp
  • This also applies for new matches on dating applications—especially if the stranger begins talking about trading in crypto
• Always be weary of any “get rich quick” scheme or cryptocurrency investment opportunity that promises large returns in a short amount of time
• Be familiar with the lures and tactics of romance scams and investment scams. Non-profits like the Cybercrime Support Network have resources that can help
• Anyone who believes they have fallen victim to a pig butchering scam should immediately withdraw any funds from any affected wallet and contact law enforcement.

Timeline of investigation on Pig Butchering, continue reading here.

The first report—“The Dark Side of AI: Large-Scale Scam Campaigns Made Possible by Generative AI”—demonstrates how, in the future, scammers could leverage technology like ChatGPT to conduct fraud on a massive scale with minimal technical skills.

However, a second report, titled “Cybercriminals Can’t Agree on GPTs,” found that, despite AI’s potential, rather than embracing large language models (LLMs) like ChatGPT, some cybercriminals are skeptical and even concerned about using AI for their attacks.

The Dark Side of AI

Using a simple e-commerce template and LLM tools like GPT-4, Sophos X-Ops was able to build a fully functioning website with AI-generated images, audio, and product descriptions, as well as a fake Facebook login and fake checkout page to steal users’ login credentials and credit card details.

The website required minimal technical knowledge to create and operate, and, using the same tool, Sophos X-Ops was able to create hundreds of similar websites in minutes with one button.

“It’s natural—and expected—for criminals to turn to new technology for automation. The original creation of spam emails was a critical step in scamming technology because it changed the scale of the playing field. New AIs are poised to do the same; if an AI technology exists that can create complete, automated threats, people will eventually use it. We have already seen the integration of generative AI elements in classic scams, such as AI-generated text or photographs to lure victims.

“However, part of the reason we conducted this research was to get ahead of the criminals. By creating a system for large-scale fraudulent website generation that is more advanced than the tools criminals are currently using, we have a unique opportunity to analyze and prepare for the threat before it proliferates,” said Ben Gelman, senior data scientist, Sophos.

Cybercriminals Can’t Agree on GPTs

For its research into attacker attitudes towards AI, Sophos X-Ops examined four prominent dark web forums for LLM-related discussions.

While cybercriminals’ AI use appears to be in its early stages, threat actors on the dark web are discussing its potential when it comes to social engineering.  Sophos X-Ops has already witnessed the use of AI in romance-based, crypto scams.

In addition, Sophos X-Ops found that many posts were related to compromised ChatGPT accounts for sale and “jailbreaks”—ways to circumvent the protections built into LLMs, so cybercriminals can abuse them for malicious purposes. Sophos X-Ops also found ten ChatGPT-derivatives that the creators claimed could be used to launch cyber-attacks and develop malware.

However, threat actors had mixed reactions to these derivatives and other malicious applications of LLMs, with many criminals expressing concern that the creators of the ChatGPT imitators were trying to scam them.

“While there’s been significant concern about the abuse of AI and LLMs by cybercriminals since the release of ChatGPT, our research has found that, so far, threat actors are more skeptical than enthused. Across two of the four forums on the dark web we examined, we only found 100 posts on AI. Compare that to cryptocurrency where we found 1,000 posts for the same period.

“We did see some cybercriminals attempting to create malware or attack tools using LLMs, but the results were rudimentary and often met with skepticism from other users. In one case, a threat actor, eager to showcase the potential of ChatGPT inadvertently revealed significant information about his real identity. We even found numerous ‘thought pieces’ about the potential negative effects of AI on society and the ethical implications of its use. In other words, at least for now, it seems that cybercriminals are having the same debates about LLMs as the rest of us,” said Christopher Budd, director, X-Ops research, Sophos.

Sophos, a global leader in innovating and delivering cybersecurity as a service, today published a new survey report, “The State of Cybersecurity 2023: The Business Impact of Adversaries on Defenders,” which found that, globally, 93% of organizations find the execution of some essential security operation tasks, such as threat hunting, challenging.

These challenges also include understanding how an attack happened, with 75% of respondents stating they have challenges identifying the root cause of an incident.

This can make proper remediation difficult, leaving organizations vulnerable to repetitive and/or multiple attacks, by the same or different adversaries, especially since 71% of those surveyed also reported challenges with timely remediation.

In addition, 71% said they have challenges understanding which signals/alerts to investigate, and the same percent reported challenges prioritizing investigations.

– Sophos survey

“Only one fifth of respondents considered vulnerabilities and remote services a top cybersecurity risk for 2023, yet the ground truth is that these are routinely exploited by Active Adversaries. This cascade of operational issues means that these organizations aren’t seeing the full picture and are potentially acting on incorrect information. There’s nothing worse than being confidently wrong. Having external audits and monitoring helps eliminate blind spots. We can look at you the way an attacker does,” said John Shier, field CTO, commercial, Sophos.

Additional findings include:

• 52% of organizations surveyed said that cyberthreats are now too advanced for their organization to deal with on their own
• 64% wish the IT team could spend more time on strategic issues and less time on firefighting, and 55% said that the time spent on cyberthreats has impacted the IT team’s work on other projects
• While 94% said they are working with external specialists to scale their operations, the majority still remain involved with managing threats rather than taking a fully outsourced approach

“Today’s threats require a timely and coordinated response. Unfortunately, too many organizations are stuck in reactive mode. Not only is this having an impact on core business priorities, but it also has a sizeable human toll, with over half of respondents stating that cyberattacks are keeping them up at night. Eliminating the guesswork and applying defensive controls based on actionable intelligence will let IT teams focus on enabling the business instead of trying to douse the eternal flame of active attacks,” said Shier.

To learn more about The State of Cybersecurity 2023: The Business Impact of Adversaries on Defenders, download the full report from Sophos.com.

Data from The State of Cybersecurity 2023: The Business Impact of Adversaries on Defenders comes from an independent study of 3,000 leaders responsible for IT/cybersecurity across 14 countries conducted in January and February 2023.

Learn More About

• The threat landscape and trends likely to impact cybersecurity in the 2023 Threat Report
• Sophos X-Ops and its groundbreaking threat research by subscribing to the Sophos X-Ops blogs
• The State of Ransomware 2022 
• Different ransomware threat actors, their TTPs, and Sophos’ latest ransomware research in the Ransomware Threat Intelligence Center
• Vulnerable organizations falling victim to multiple ransomware attacks

The report details how the cyberthreat landscape has reached a new level of commercialization and convenience for would-be attackers, with nearly all barriers to entry for committing cybercrime removed through the expansion of cybercrime-as-a-service.

The report also addresses how ransomware remains one of the greatest cybercrime threats to organizations with operators innovating their extortion tactics, as well as how demand for stolen credentials continues to grow.

Criminal underground marketplaces like Genesis have long made it possible to buy malware and malware deployment services (“malware-as-a-service”), as well as to sell stolen credentials and other data in bulk. Over the last decade, with the increasing popularity of ransomware, an entire “ransomware-as-a-service” economy sprung up. Now, in 2022, this “as-a-service” model has expanded, and nearly every aspect of the cybercrime toolkit—from initial infection to ways to avoid detection—is available for purchase.

“This isn’t just the usual fare, such as malware, scamming and phishing kits for sale,” said Sean Gallagher, principal threat researcher, Sophos. “Higher rung cybercriminals are now selling tools and capabilities that once were solely in the hands of some of the most sophisticated attackers as services to other actors. For example, this past year, we saw advertisements for OPSEC-as-a-service where the sellers offered to help attackers hide Cobalt Strike infections, and we saw scanning-a-service, which gives buyers access to legitimate commercial tools like Metasploit, so that they can find and then exploit vulnerabilities. The commoditization of nearly every component of cybercrime is impacting the threat landscape and opening up opportunities for any type of attacker with any type of skill level.”

With the expansion of the “as-a-service” economy, underground cybercriminal marketplaces are also becoming increasingly commodified and are operating like mainstream businesses. Cybercrime sellers are not just advertising their services but are also listing job offers to recruit attackers with distinct skills. Some marketplaces now have dedicated help-wanted pages and recruiting staff, while job seekers are posting summaries of their skills and qualifications.

“Early ransomware operators were rather limited in how much they could do because their operations were centralized; group members were carrying out every aspect of an attack. But as ransomware became hugely profitable, they looked for ways to scale their productions. So, they began outsourcing parts of their operations, creating an entire infrastructure to support ransomware. Now, other cybercriminals have taken a cue from the success of this infrastructure and are following suit,” said Gallagher.

Indeed, as the cybercrime infrastructure has expanded, ransomware has remained highly popular—and highly profitable. Over the past year, ransomware operators have worked on expanding their potential attack service by targeting platforms other than Windows while also adopting new languages like Rust and Go to avoid detection. Some groups, most notably Lockbit 3.0, have been diversifying their operations and creating more “innovative” ways to extort victims.

“When we talk about the growing sophistication of the criminal underground, this extends to the world of ransomware. For example, Lockbit 3.0 is now offering bug bounty programs for its malware and ‘crowd-sourcing’ ideas to improve its operations from the criminal community. Other groups have moved to a ‘subscription model’ for access to their leak data and others are auctioning it off. Ransomware has become, first and foremost, a business,” said Gallagher.

The evolving economics of the underground has not only incentivized the growth of ransomware and the “as-a-service” industry, but also increased the demand for credential theft. With the expansion of web services, various types of credentials, especially cookies, can be used in numerous ways to gain a deeper foothold in networks, even bypassing MFA. Credential theft also remains one of the easiest ways for novice criminals to gain access to underground marketplaces and begin their “career.”

Sophos also analyzed the following trends:

• The war in Ukraine had global repercussions for the cyberthreat landscape. Immediately following the invasion, there was an explosion of financially motivated scams, while nationalism led to a shake-up of criminal alliances between Ukrainians and Russians, particularly among ransomware affiliates.

• Criminals continue to exploit legitimate executables and utilize “living off the land binaries” (LOLBins) to launch various types of attacks, including ransomware. In some cases, attackers deploy legitimate but vulnerable system drivers in “bring your own driver”attacks to attempt to shut down endpoint detection and response products to evade detection.

• Mobile devices are now at the center of new types of cybercrimes. Not only are attackers still using fake applications to deliver malware injectors, spyware and banking-associated malware, but newer forms of cyberfraud have been growing in popularity, such as “pig butchering”schemes. And this crime is no longer just affecting Android users, but iOS users as well.

• The devaluation of Monero, one of the most popular cryptocurrencies for cryptominers, led to a decrease in one of the oldest and most popular types of cryptocrime—cryptomining. But mining malware continues to spread through automated “bots” on both Windows and Linux systems.

To learn more about the changing threat landscape in 2022 and what it means for security teams in 2023, read the full Sophos 2023 Threat Report.

The Sophos 2023 Threat Report consists of research and insights from Sophos X-Ops, a new, cross-operational unit that links three established teams of cybersecurity experts at Sophos (SophosLabs, Sophos SecOps, and Sophos AI).

Sophos X-Ops includes more than 500 cybersecurity experts worldwide uniquely equipped to offer a complete, multi-disciplinary picture of an increasingly complex threat landscape.

To learn more about daily cyberattacks and TTPs, follow Sophos X-Ops on Twitter and subscribe to receive current threat research and security operations articles and reports from the frontlines of cybersecurity.  

Sophos X-Ops leverages the predictive, real-time, real-world, and deeply researched threat intelligence from each group, which, in turn, collaborate to deliver stronger, more innovative protection, detection and response capabilities.

Sophos today is also issuing “OODA: Sophos X-Ops Takes on Burgeoning SQL Server Attacks,” research about increased attacks against unpatched Microsoft SQL servers and how attackers used a fake downloading site and grey-market remote access tools to distribute multiple ransomware families.

Sophos X-Ops identified and thwarted the attacks because the Sophos X-Ops teams combined their respective knowledge of the incidents, jointly analyzed them, and took action to quickly contain and neutralize the adversaries.

“Modern cybersecurity is becoming a highly interactive team sport, and as the industry has matured, necessary analysis, engineering and investigative specializations have emerged. Scalable end-to-end operations now need to include software developers, automation engineers, malware analysts, reverse engineers, cloud infrastructure engineers, incident responders, data engineers and scientists, and numerous other experts, and they need an organizational structure that avoids silos,” said Joe Levy, chief technology and product officer, Sophos.

Levy, continuing, said: “We’ve unified three globally recognized and mature teams within Sophos to provide this breadth of critical, subject matter and process expertise. Joined together as Sophos X-Ops, they can leverage the strengths of each other, including analysis of worldwide telemetry from more than 500,000 customers, industry-leading threat hunting, response and remediation capabilities, and rigorous artificial intelligence to measurably improve threat detection and response. Attackers are often too organized and too advanced to combat without the unique combined expertise and operational efficiency of a joint task force like Sophos X-Ops.”

Speaking in March 2022 to the Detroit Economic Club about the FBI partnering with the private sector to counter the cyber threat, FBI Director Christopher Wray said, “What partnership lets us do is hit our adversaries at every point, from the victims’ networks back all the way to the hackers’ own computers, because when it comes to the FBI’s cyber strategy, we know trying to stand in the goal and block shots isn’t going to get the job done.

“We’re disrupting three things: the threat actors, their infrastructure and their money. And we have the most durable impact when we work with all of our partners to disrupt all three together.” Sophos X-Ops is taking a similar approach: gathering and operating on threat intelligence from its own multidisciplinary groups to help stop attackers earlier, preventing or minimizing the harms of ransomware, espionage or other cybercrimes that can befall organizations of all types and sizes, and working with law enforcement to neutralize attacker infrastructure. While Sophos’ internal teams already share information as a matter of course, the formal creation of Sophos X-Ops drives forward a faster, more streamlined process necessary to counter equally fast-moving adversaries.

“Effective cybersecurity requires robust collaboration at all levels, both internally and externally; it is the only way to discover, analyze and counter malicious cyber actors at speed at scale. Combining these separate teams into Sophos X-Ops shows that Sophos understands this principle and is acting on it,” said Michael Daniel, president and CEO, Cyber Threat Alliance.

Sophos X-Ops also provides a stronger cross-operational foundation for innovation, an essential component of cybersecurity due to the aggressive advancements in organized cybercrime. By intertwining the expertise of each group, Sophos is pioneering the concept of an artificial intelligence (AI) assisted Security Operations Center (SOC), which anticipates the intentions of security analysts and provides relevant defensive actions. 

In the SOC of the future, Sophos believes this approach will dramatically accelerate security workflows and the ability to more quickly detect and respond to novel and priority indicators of compromise.

“The adversary community has figured out how to work together to commoditize certain parts of attacks while simultaneously creating new ways to evade detection and taking advantage of weaknesses in any software to mass exploit it. The Sophos X-Ops umbrella is a noted example of stealing a page from the cyber miscreants’ tactics by allowing cross-collaboration amongst different internal threat intelligence groups,” said Craig Robinson, IDC research vice president, Security Services. “Combining the ability to cut across a wide breadth of threat intelligence expertise with AI assisted features in the SOC allows organizations to better predict and prepare for imminent and future attacks.”