case study report dqs301

Provide details on what you need help with along with a budget and time limit. Questions are posted anonymously and can be made 100% private.

Studypool matches you to the best tutor to help you with your question. Our tutors are highly qualified and vetted.

Your matched tutor provides personalized help according to your question details. Payment is made only after you have completed your 1-on-1 session and are satisfied with your session.

• Homework Q&A
• Become a Tutor

All Subjects

Mathematics

Programming

Health & Medical

Engineering

Computer Science

Foreign Languages

Access over 35 million homework & study documents

Case study report liyana nadhirah binti shaharuddin 2018252926.

Sign up to view the full document!

24/7 Homework Help

Stuck on a homework question? Our verified tutors can answer all questions, from basic  math  to advanced rocket science !

Similar Documents

working on a homework question?

Studypool is powered by Microtutoring TM

Copyright © 2024. Studypool Inc.

Studypool is not sponsored or endorsed by any college or university.

Ongoing Conversations

Access over 35 million homework documents through the notebank

Get on-demand Q&A homework help from verified tutors

Read 1000s of rich book guides covering popular titles

Sign up with Google

Sign up with Facebook

Already have an account? Login

Login with Google

Login with Facebook

Don't have an account? Sign Up

Have a language expert improve your writing

Run a free plagiarism check in 10 minutes, generate accurate citations for free.

• Knowledge Base

Methodology

• What Is a Case Study? | Definition, Examples & Methods

What Is a Case Study? | Definition, Examples & Methods

Published on May 8, 2019 by Shona McCombes . Revised on November 20, 2023.

A case study is a detailed study of a specific subject, such as a person, group, place, event, organization, or phenomenon. Case studies are commonly used in social, educational, clinical, and business research.

A case study research design usually involves qualitative methods , but quantitative methods are sometimes also used. Case studies are good for describing , comparing, evaluating and understanding different aspects of a research problem .

Table of contents

When to do a case study, step 1: select a case, step 2: build a theoretical framework, step 3: collect your data, step 4: describe and analyze the case, other interesting articles.

A case study is an appropriate research design when you want to gain concrete, contextual, in-depth knowledge about a specific real-world subject. It allows you to explore the key characteristics, meanings, and implications of the case.

Case studies are often a good choice in a thesis or dissertation . They keep your project focused and manageable when you don’t have the time or resources to do large-scale research.

You might use just one complex case study where you explore a single subject in depth, or conduct multiple case studies to compare and illuminate different aspects of your research problem.

Here's why students love Scribbr's proofreading services

Discover proofreading & editing

Once you have developed your problem statement and research questions , you should be ready to choose the specific case that you want to focus on. A good case study should have the potential to:

• Provide new or unexpected insights into the subject
• Challenge or complicate existing assumptions and theories
• Propose practical courses of action to resolve a problem
• Open up new directions for future research

TipIf your research is more practical in nature and aims to simultaneously investigate an issue as you solve it, consider conducting action research instead.

Unlike quantitative or experimental research , a strong case study does not require a random or representative sample. In fact, case studies often deliberately focus on unusual, neglected, or outlying cases which may shed new light on the research problem.

Example of an outlying case studyIn the 1960s the town of Roseto, Pennsylvania was discovered to have extremely low rates of heart disease compared to the US average. It became an important case study for understanding previously neglected causes of heart disease.

However, you can also choose a more common or representative case to exemplify a particular category, experience or phenomenon.

Example of a representative case studyIn the 1920s, two sociologists used Muncie, Indiana as a case study of a typical American city that supposedly exemplified the changing culture of the US at the time.

While case studies focus more on concrete details than general theories, they should usually have some connection with theory in the field. This way the case study is not just an isolated description, but is integrated into existing knowledge about the topic. It might aim to:

• Exemplify a theory by showing how it explains the case under investigation
• Expand on a theory by uncovering new concepts and ideas that need to be incorporated
• Challenge a theory by exploring an outlier case that doesn’t fit with established assumptions

To ensure that your analysis of the case has a solid academic grounding, you should conduct a literature review of sources related to the topic and develop a theoretical framework . This means identifying key concepts and theories to guide your analysis and interpretation.

There are many different research methods you can use to collect data on your subject. Case studies tend to focus on qualitative data using methods such as interviews , observations , and analysis of primary and secondary sources (e.g., newspaper articles, photographs, official records). Sometimes a case study will also collect quantitative data.

Example of a mixed methods case studyFor a case study of a wind farm development in a rural area, you could collect quantitative data on employment rates and business revenue, collect qualitative data on local people’s perceptions and experiences, and analyze local and national media coverage of the development.

The aim is to gain as thorough an understanding as possible of the case and its context.

Prevent plagiarism. Run a free check.

In writing up the case study, you need to bring together all the relevant aspects to give as complete a picture as possible of the subject.

How you report your findings depends on the type of research you are doing. Some case studies are structured like a standard scientific paper or thesis , with separate sections or chapters for the methods , results and discussion .

Others are written in a more narrative style, aiming to explore the case from various angles and analyze its meanings and implications (for example, by using textual analysis or discourse analysis ).

In all cases, though, make sure to give contextual details about the case, connect it back to the literature and theory, and discuss how it fits into wider patterns or debates.

If you want to know more about statistics , methodology , or research bias , make sure to check out some of our other articles with explanations and examples.

• Normal distribution
• Degrees of freedom
• Null hypothesis
• Discourse analysis
• Control groups
• Mixed methods research
• Non-probability sampling
• Quantitative research
• Ecological validity

Research bias

• Rosenthal effect
• Implicit bias
• Cognitive bias
• Selection bias
• Negativity bias
• Status quo bias

Cite this Scribbr article

If you want to cite this source, you can copy and paste the citation or click the “Cite this Scribbr article” button to automatically add the citation to our free Citation Generator.

McCombes, S. (2023, November 20). What Is a Case Study? | Definition, Examples & Methods. Scribbr. Retrieved June 8, 2024, from https://www.scribbr.com/methodology/case-study/

Is this article helpful?

Shona McCombes

Other students also liked, primary vs. secondary sources | difference & examples, what is a theoretical framework | guide to organizing, what is action research | definition & examples, what is your plagiarism score.

• Privacy Policy

Home » Case Study – Methods, Examples and Guide

Case Study – Methods, Examples and Guide

Table of Contents

A case study is a research method that involves an in-depth examination and analysis of a particular phenomenon or case, such as an individual, organization, community, event, or situation.

It is a qualitative research approach that aims to provide a detailed and comprehensive understanding of the case being studied. Case studies typically involve multiple sources of data, including interviews, observations, documents, and artifacts, which are analyzed using various techniques, such as content analysis, thematic analysis, and grounded theory. The findings of a case study are often used to develop theories, inform policy or practice, or generate new research questions.

Types of Case Study

Types and Methods of Case Study are as follows:

Single-Case Study

A single-case study is an in-depth analysis of a single case. This type of case study is useful when the researcher wants to understand a specific phenomenon in detail.

For Example , A researcher might conduct a single-case study on a particular individual to understand their experiences with a particular health condition or a specific organization to explore their management practices. The researcher collects data from multiple sources, such as interviews, observations, and documents, and uses various techniques to analyze the data, such as content analysis or thematic analysis. The findings of a single-case study are often used to generate new research questions, develop theories, or inform policy or practice.

Multiple-Case Study

A multiple-case study involves the analysis of several cases that are similar in nature. This type of case study is useful when the researcher wants to identify similarities and differences between the cases.

For Example, a researcher might conduct a multiple-case study on several companies to explore the factors that contribute to their success or failure. The researcher collects data from each case, compares and contrasts the findings, and uses various techniques to analyze the data, such as comparative analysis or pattern-matching. The findings of a multiple-case study can be used to develop theories, inform policy or practice, or generate new research questions.

Exploratory Case Study

An exploratory case study is used to explore a new or understudied phenomenon. This type of case study is useful when the researcher wants to generate hypotheses or theories about the phenomenon.

For Example, a researcher might conduct an exploratory case study on a new technology to understand its potential impact on society. The researcher collects data from multiple sources, such as interviews, observations, and documents, and uses various techniques to analyze the data, such as grounded theory or content analysis. The findings of an exploratory case study can be used to generate new research questions, develop theories, or inform policy or practice.

Descriptive Case Study

A descriptive case study is used to describe a particular phenomenon in detail. This type of case study is useful when the researcher wants to provide a comprehensive account of the phenomenon.

For Example, a researcher might conduct a descriptive case study on a particular community to understand its social and economic characteristics. The researcher collects data from multiple sources, such as interviews, observations, and documents, and uses various techniques to analyze the data, such as content analysis or thematic analysis. The findings of a descriptive case study can be used to inform policy or practice or generate new research questions.

Instrumental Case Study

An instrumental case study is used to understand a particular phenomenon that is instrumental in achieving a particular goal. This type of case study is useful when the researcher wants to understand the role of the phenomenon in achieving the goal.

For Example, a researcher might conduct an instrumental case study on a particular policy to understand its impact on achieving a particular goal, such as reducing poverty. The researcher collects data from multiple sources, such as interviews, observations, and documents, and uses various techniques to analyze the data, such as content analysis or thematic analysis. The findings of an instrumental case study can be used to inform policy or practice or generate new research questions.

Case Study Data Collection Methods

Here are some common data collection methods for case studies:

Interviews involve asking questions to individuals who have knowledge or experience relevant to the case study. Interviews can be structured (where the same questions are asked to all participants) or unstructured (where the interviewer follows up on the responses with further questions). Interviews can be conducted in person, over the phone, or through video conferencing.

Observations

Observations involve watching and recording the behavior and activities of individuals or groups relevant to the case study. Observations can be participant (where the researcher actively participates in the activities) or non-participant (where the researcher observes from a distance). Observations can be recorded using notes, audio or video recordings, or photographs.

Documents can be used as a source of information for case studies. Documents can include reports, memos, emails, letters, and other written materials related to the case study. Documents can be collected from the case study participants or from public sources.

Surveys involve asking a set of questions to a sample of individuals relevant to the case study. Surveys can be administered in person, over the phone, through mail or email, or online. Surveys can be used to gather information on attitudes, opinions, or behaviors related to the case study.

Artifacts are physical objects relevant to the case study. Artifacts can include tools, equipment, products, or other objects that provide insights into the case study phenomenon.

How to conduct Case Study Research

Conducting a case study research involves several steps that need to be followed to ensure the quality and rigor of the study. Here are the steps to conduct case study research:

• Define the research questions: The first step in conducting a case study research is to define the research questions. The research questions should be specific, measurable, and relevant to the case study phenomenon under investigation.
• Select the case: The next step is to select the case or cases to be studied. The case should be relevant to the research questions and should provide rich and diverse data that can be used to answer the research questions.
• Collect data: Data can be collected using various methods, such as interviews, observations, documents, surveys, and artifacts. The data collection method should be selected based on the research questions and the nature of the case study phenomenon.
• Analyze the data: The data collected from the case study should be analyzed using various techniques, such as content analysis, thematic analysis, or grounded theory. The analysis should be guided by the research questions and should aim to provide insights and conclusions relevant to the research questions.
• Draw conclusions: The conclusions drawn from the case study should be based on the data analysis and should be relevant to the research questions. The conclusions should be supported by evidence and should be clearly stated.
• Validate the findings: The findings of the case study should be validated by reviewing the data and the analysis with participants or other experts in the field. This helps to ensure the validity and reliability of the findings.
• Write the report: The final step is to write the report of the case study research. The report should provide a clear description of the case study phenomenon, the research questions, the data collection methods, the data analysis, the findings, and the conclusions. The report should be written in a clear and concise manner and should follow the guidelines for academic writing.

Examples of Case Study

Here are some examples of case study research:

• The Hawthorne Studies : Conducted between 1924 and 1932, the Hawthorne Studies were a series of case studies conducted by Elton Mayo and his colleagues to examine the impact of work environment on employee productivity. The studies were conducted at the Hawthorne Works plant of the Western Electric Company in Chicago and included interviews, observations, and experiments.
• The Stanford Prison Experiment: Conducted in 1971, the Stanford Prison Experiment was a case study conducted by Philip Zimbardo to examine the psychological effects of power and authority. The study involved simulating a prison environment and assigning participants to the role of guards or prisoners. The study was controversial due to the ethical issues it raised.
• The Challenger Disaster: The Challenger Disaster was a case study conducted to examine the causes of the Space Shuttle Challenger explosion in 1986. The study included interviews, observations, and analysis of data to identify the technical, organizational, and cultural factors that contributed to the disaster.
• The Enron Scandal: The Enron Scandal was a case study conducted to examine the causes of the Enron Corporation’s bankruptcy in 2001. The study included interviews, analysis of financial data, and review of documents to identify the accounting practices, corporate culture, and ethical issues that led to the company’s downfall.
• The Fukushima Nuclear Disaster : The Fukushima Nuclear Disaster was a case study conducted to examine the causes of the nuclear accident that occurred at the Fukushima Daiichi Nuclear Power Plant in Japan in 2011. The study included interviews, analysis of data, and review of documents to identify the technical, organizational, and cultural factors that contributed to the disaster.

Application of Case Study

Case studies have a wide range of applications across various fields and industries. Here are some examples:

Business and Management

Case studies are widely used in business and management to examine real-life situations and develop problem-solving skills. Case studies can help students and professionals to develop a deep understanding of business concepts, theories, and best practices.

Case studies are used in healthcare to examine patient care, treatment options, and outcomes. Case studies can help healthcare professionals to develop critical thinking skills, diagnose complex medical conditions, and develop effective treatment plans.

Case studies are used in education to examine teaching and learning practices. Case studies can help educators to develop effective teaching strategies, evaluate student progress, and identify areas for improvement.

Social Sciences

Case studies are widely used in social sciences to examine human behavior, social phenomena, and cultural practices. Case studies can help researchers to develop theories, test hypotheses, and gain insights into complex social issues.

Law and Ethics

Case studies are used in law and ethics to examine legal and ethical dilemmas. Case studies can help lawyers, policymakers, and ethical professionals to develop critical thinking skills, analyze complex cases, and make informed decisions.

Purpose of Case Study

The purpose of a case study is to provide a detailed analysis of a specific phenomenon, issue, or problem in its real-life context. A case study is a qualitative research method that involves the in-depth exploration and analysis of a particular case, which can be an individual, group, organization, event, or community.

The primary purpose of a case study is to generate a comprehensive and nuanced understanding of the case, including its history, context, and dynamics. Case studies can help researchers to identify and examine the underlying factors, processes, and mechanisms that contribute to the case and its outcomes. This can help to develop a more accurate and detailed understanding of the case, which can inform future research, practice, or policy.

Case studies can also serve other purposes, including:

• Illustrating a theory or concept: Case studies can be used to illustrate and explain theoretical concepts and frameworks, providing concrete examples of how they can be applied in real-life situations.
• Developing hypotheses: Case studies can help to generate hypotheses about the causal relationships between different factors and outcomes, which can be tested through further research.
• Providing insight into complex issues: Case studies can provide insights into complex and multifaceted issues, which may be difficult to understand through other research methods.
• Informing practice or policy: Case studies can be used to inform practice or policy by identifying best practices, lessons learned, or areas for improvement.

Advantages of Case Study Research

There are several advantages of case study research, including:

• In-depth exploration: Case study research allows for a detailed exploration and analysis of a specific phenomenon, issue, or problem in its real-life context. This can provide a comprehensive understanding of the case and its dynamics, which may not be possible through other research methods.
• Rich data: Case study research can generate rich and detailed data, including qualitative data such as interviews, observations, and documents. This can provide a nuanced understanding of the case and its complexity.
• Holistic perspective: Case study research allows for a holistic perspective of the case, taking into account the various factors, processes, and mechanisms that contribute to the case and its outcomes. This can help to develop a more accurate and comprehensive understanding of the case.
• Theory development: Case study research can help to develop and refine theories and concepts by providing empirical evidence and concrete examples of how they can be applied in real-life situations.
• Practical application: Case study research can inform practice or policy by identifying best practices, lessons learned, or areas for improvement.
• Contextualization: Case study research takes into account the specific context in which the case is situated, which can help to understand how the case is influenced by the social, cultural, and historical factors of its environment.

Limitations of Case Study Research

There are several limitations of case study research, including:

• Limited generalizability : Case studies are typically focused on a single case or a small number of cases, which limits the generalizability of the findings. The unique characteristics of the case may not be applicable to other contexts or populations, which may limit the external validity of the research.
• Biased sampling: Case studies may rely on purposive or convenience sampling, which can introduce bias into the sample selection process. This may limit the representativeness of the sample and the generalizability of the findings.
• Subjectivity: Case studies rely on the interpretation of the researcher, which can introduce subjectivity into the analysis. The researcher’s own biases, assumptions, and perspectives may influence the findings, which may limit the objectivity of the research.
• Limited control: Case studies are typically conducted in naturalistic settings, which limits the control that the researcher has over the environment and the variables being studied. This may limit the ability to establish causal relationships between variables.
• Time-consuming: Case studies can be time-consuming to conduct, as they typically involve a detailed exploration and analysis of a specific case. This may limit the feasibility of conducting multiple case studies or conducting case studies in a timely manner.
• Resource-intensive: Case studies may require significant resources, including time, funding, and expertise. This may limit the ability of researchers to conduct case studies in resource-constrained settings.

About the author

Muhammad Hassan

Researcher, Academic Writer, Web developer

You may also like

Triangulation in Research – Types, Methods and...

Focus Groups – Steps, Examples and Guide

Applied Research – Types, Methods and Examples

Quasi-Experimental Research Design – Types...

Descriptive Research Design – Types, Methods and...

Phenomenology – Methods, Examples and Guide

The Ultimate Guide to Qualitative Research - Part 1: The Basics

• Introduction and overview
• What is qualitative research?
• What is qualitative data?
• Examples of qualitative data
• Qualitative vs. quantitative research
• Mixed methods
• Qualitative research preparation
• Theoretical perspective
• Theoretical framework
• Literature reviews

Research question

• Conceptual framework
• Conceptual vs. theoretical framework

Data collection

• Qualitative research methods
• Focus groups
• Observational research

What is a case study?

Applications for case study research, what is a good case study, process of case study design, benefits and limitations of case studies.

• Ethnographical research
• Ethical considerations
• Confidentiality and privacy
• Power dynamics
• Reflexivity

Case studies

Case studies are essential to qualitative research , offering a lens through which researchers can investigate complex phenomena within their real-life contexts. This chapter explores the concept, purpose, applications, examples, and types of case studies and provides guidance on how to conduct case study research effectively.

Whereas quantitative methods look at phenomena at scale, case study research looks at a concept or phenomenon in considerable detail. While analyzing a single case can help understand one perspective regarding the object of research inquiry, analyzing multiple cases can help obtain a more holistic sense of the topic or issue. Let's provide a basic definition of a case study, then explore its characteristics and role in the qualitative research process.

Definition of a case study

A case study in qualitative research is a strategy of inquiry that involves an in-depth investigation of a phenomenon within its real-world context. It provides researchers with the opportunity to acquire an in-depth understanding of intricate details that might not be as apparent or accessible through other methods of research. The specific case or cases being studied can be a single person, group, or organization – demarcating what constitutes a relevant case worth studying depends on the researcher and their research question .

Among qualitative research methods , a case study relies on multiple sources of evidence, such as documents, artifacts, interviews , or observations , to present a complete and nuanced understanding of the phenomenon under investigation. The objective is to illuminate the readers' understanding of the phenomenon beyond its abstract statistical or theoretical explanations.

Characteristics of case studies

Case studies typically possess a number of distinct characteristics that set them apart from other research methods. These characteristics include a focus on holistic description and explanation, flexibility in the design and data collection methods, reliance on multiple sources of evidence, and emphasis on the context in which the phenomenon occurs.

Furthermore, case studies can often involve a longitudinal examination of the case, meaning they study the case over a period of time. These characteristics allow case studies to yield comprehensive, in-depth, and richly contextualized insights about the phenomenon of interest.

The role of case studies in research

Case studies hold a unique position in the broader landscape of research methods aimed at theory development. They are instrumental when the primary research interest is to gain an intensive, detailed understanding of a phenomenon in its real-life context.

In addition, case studies can serve different purposes within research - they can be used for exploratory, descriptive, or explanatory purposes, depending on the research question and objectives. This flexibility and depth make case studies a valuable tool in the toolkit of qualitative researchers.

Remember, a well-conducted case study can offer a rich, insightful contribution to both academic and practical knowledge through theory development or theory verification, thus enhancing our understanding of complex phenomena in their real-world contexts.

What is the purpose of a case study?

Case study research aims for a more comprehensive understanding of phenomena, requiring various research methods to gather information for qualitative analysis . Ultimately, a case study can allow the researcher to gain insight into a particular object of inquiry and develop a theoretical framework relevant to the research inquiry.

Why use case studies in qualitative research?

Using case studies as a research strategy depends mainly on the nature of the research question and the researcher's access to the data.

Conducting case study research provides a level of detail and contextual richness that other research methods might not offer. They are beneficial when there's a need to understand complex social phenomena within their natural contexts.

The explanatory, exploratory, and descriptive roles of case studies

Case studies can take on various roles depending on the research objectives. They can be exploratory when the research aims to discover new phenomena or define new research questions; they are descriptive when the objective is to depict a phenomenon within its context in a detailed manner; and they can be explanatory if the goal is to understand specific relationships within the studied context. Thus, the versatility of case studies allows researchers to approach their topic from different angles, offering multiple ways to uncover and interpret the data .

The impact of case studies on knowledge development

Case studies play a significant role in knowledge development across various disciplines. Analysis of cases provides an avenue for researchers to explore phenomena within their context based on the collected data.

This can result in the production of rich, practical insights that can be instrumental in both theory-building and practice. Case studies allow researchers to delve into the intricacies and complexities of real-life situations, uncovering insights that might otherwise remain hidden.

Types of case studies

In qualitative research , a case study is not a one-size-fits-all approach. Depending on the nature of the research question and the specific objectives of the study, researchers might choose to use different types of case studies. These types differ in their focus, methodology, and the level of detail they provide about the phenomenon under investigation.

Understanding these types is crucial for selecting the most appropriate approach for your research project and effectively achieving your research goals. Let's briefly look at the main types of case studies.

Exploratory case studies

Exploratory case studies are typically conducted to develop a theory or framework around an understudied phenomenon. They can also serve as a precursor to a larger-scale research project. Exploratory case studies are useful when a researcher wants to identify the key issues or questions which can spur more extensive study or be used to develop propositions for further research. These case studies are characterized by flexibility, allowing researchers to explore various aspects of a phenomenon as they emerge, which can also form the foundation for subsequent studies.

Descriptive case studies

Descriptive case studies aim to provide a complete and accurate representation of a phenomenon or event within its context. These case studies are often based on an established theoretical framework, which guides how data is collected and analyzed. The researcher is concerned with describing the phenomenon in detail, as it occurs naturally, without trying to influence or manipulate it.

Explanatory case studies

Explanatory case studies are focused on explanation - they seek to clarify how or why certain phenomena occur. Often used in complex, real-life situations, they can be particularly valuable in clarifying causal relationships among concepts and understanding the interplay between different factors within a specific context.

Intrinsic, instrumental, and collective case studies

These three categories of case studies focus on the nature and purpose of the study. An intrinsic case study is conducted when a researcher has an inherent interest in the case itself. Instrumental case studies are employed when the case is used to provide insight into a particular issue or phenomenon. A collective case study, on the other hand, involves studying multiple cases simultaneously to investigate some general phenomena.

Each type of case study serves a different purpose and has its own strengths and challenges. The selection of the type should be guided by the research question and objectives, as well as the context and constraints of the research.

The flexibility, depth, and contextual richness offered by case studies make this approach an excellent research method for various fields of study. They enable researchers to investigate real-world phenomena within their specific contexts, capturing nuances that other research methods might miss. Across numerous fields, case studies provide valuable insights into complex issues.

Critical information systems research

Case studies provide a detailed understanding of the role and impact of information systems in different contexts. They offer a platform to explore how information systems are designed, implemented, and used and how they interact with various social, economic, and political factors. Case studies in this field often focus on examining the intricate relationship between technology, organizational processes, and user behavior, helping to uncover insights that can inform better system design and implementation.

Health research

Health research is another field where case studies are highly valuable. They offer a way to explore patient experiences, healthcare delivery processes, and the impact of various interventions in a real-world context.

Case studies can provide a deep understanding of a patient's journey, giving insights into the intricacies of disease progression, treatment effects, and the psychosocial aspects of health and illness.

Asthma research studies

Specifically within medical research, studies on asthma often employ case studies to explore the individual and environmental factors that influence asthma development, management, and outcomes. A case study can provide rich, detailed data about individual patients' experiences, from the triggers and symptoms they experience to the effectiveness of various management strategies. This can be crucial for developing patient-centered asthma care approaches.

Other fields

Apart from the fields mentioned, case studies are also extensively used in business and management research, education research, and political sciences, among many others. They provide an opportunity to delve into the intricacies of real-world situations, allowing for a comprehensive understanding of various phenomena.

Case studies, with their depth and contextual focus, offer unique insights across these varied fields. They allow researchers to illuminate the complexities of real-life situations, contributing to both theory and practice.

Whatever field you're in, ATLAS.ti puts your data to work for you

Download a free trial of ATLAS.ti to turn your data into insights.

Understanding the key elements of case study design is crucial for conducting rigorous and impactful case study research. A well-structured design guides the researcher through the process, ensuring that the study is methodologically sound and its findings are reliable and valid. The main elements of case study design include the research question , propositions, units of analysis, and the logic linking the data to the propositions.

The research question is the foundation of any research study. A good research question guides the direction of the study and informs the selection of the case, the methods of collecting data, and the analysis techniques. A well-formulated research question in case study research is typically clear, focused, and complex enough to merit further detailed examination of the relevant case(s).

Propositions

Propositions, though not necessary in every case study, provide a direction by stating what we might expect to find in the data collected. They guide how data is collected and analyzed by helping researchers focus on specific aspects of the case. They are particularly important in explanatory case studies, which seek to understand the relationships among concepts within the studied phenomenon.

Units of analysis

The unit of analysis refers to the case, or the main entity or entities that are being analyzed in the study. In case study research, the unit of analysis can be an individual, a group, an organization, a decision, an event, or even a time period. It's crucial to clearly define the unit of analysis, as it shapes the qualitative data analysis process by allowing the researcher to analyze a particular case and synthesize analysis across multiple case studies to draw conclusions.

Argumentation

This refers to the inferential model that allows researchers to draw conclusions from the data. The researcher needs to ensure that there is a clear link between the data, the propositions (if any), and the conclusions drawn. This argumentation is what enables the researcher to make valid and credible inferences about the phenomenon under study.

Understanding and carefully considering these elements in the design phase of a case study can significantly enhance the quality of the research. It can help ensure that the study is methodologically sound and its findings contribute meaningful insights about the case.

Ready to jumpstart your research with ATLAS.ti?

Conceptualize your research project with our intuitive data analysis interface. Download a free trial today.

Conducting a case study involves several steps, from defining the research question and selecting the case to collecting and analyzing data . This section outlines these key stages, providing a practical guide on how to conduct case study research.

Defining the research question

The first step in case study research is defining a clear, focused research question. This question should guide the entire research process, from case selection to analysis. It's crucial to ensure that the research question is suitable for a case study approach. Typically, such questions are exploratory or descriptive in nature and focus on understanding a phenomenon within its real-life context.

Selecting and defining the case

The selection of the case should be based on the research question and the objectives of the study. It involves choosing a unique example or a set of examples that provide rich, in-depth data about the phenomenon under investigation. After selecting the case, it's crucial to define it clearly, setting the boundaries of the case, including the time period and the specific context.

Previous research can help guide the case study design. When considering a case study, an example of a case could be taken from previous case study research and used to define cases in a new research inquiry. Considering recently published examples can help understand how to select and define cases effectively.

Developing a detailed case study protocol

A case study protocol outlines the procedures and general rules to be followed during the case study. This includes the data collection methods to be used, the sources of data, and the procedures for analysis. Having a detailed case study protocol ensures consistency and reliability in the study.

The protocol should also consider how to work with the people involved in the research context to grant the research team access to collecting data. As mentioned in previous sections of this guide, establishing rapport is an essential component of qualitative research as it shapes the overall potential for collecting and analyzing data.

Collecting data

Gathering data in case study research often involves multiple sources of evidence, including documents, archival records, interviews, observations, and physical artifacts. This allows for a comprehensive understanding of the case. The process for gathering data should be systematic and carefully documented to ensure the reliability and validity of the study.

Analyzing and interpreting data

The next step is analyzing the data. This involves organizing the data , categorizing it into themes or patterns , and interpreting these patterns to answer the research question. The analysis might also involve comparing the findings with prior research or theoretical propositions.

Writing the case study report

The final step is writing the case study report . This should provide a detailed description of the case, the data, the analysis process, and the findings. The report should be clear, organized, and carefully written to ensure that the reader can understand the case and the conclusions drawn from it.

Each of these steps is crucial in ensuring that the case study research is rigorous, reliable, and provides valuable insights about the case.

The type, depth, and quality of data in your study can significantly influence the validity and utility of the study. In case study research, data is usually collected from multiple sources to provide a comprehensive and nuanced understanding of the case. This section will outline the various methods of collecting data used in case study research and discuss considerations for ensuring the quality of the data.

Interviews are a common method of gathering data in case study research. They can provide rich, in-depth data about the perspectives, experiences, and interpretations of the individuals involved in the case. Interviews can be structured , semi-structured , or unstructured , depending on the research question and the degree of flexibility needed.

Observations

Observations involve the researcher observing the case in its natural setting, providing first-hand information about the case and its context. Observations can provide data that might not be revealed in interviews or documents, such as non-verbal cues or contextual information.

Documents and artifacts

Documents and archival records provide a valuable source of data in case study research. They can include reports, letters, memos, meeting minutes, email correspondence, and various public and private documents related to the case.

These records can provide historical context, corroborate evidence from other sources, and offer insights into the case that might not be apparent from interviews or observations.

Physical artifacts refer to any physical evidence related to the case, such as tools, products, or physical environments. These artifacts can provide tangible insights into the case, complementing the data gathered from other sources.

Ensuring the quality of data collection

Determining the quality of data in case study research requires careful planning and execution. It's crucial to ensure that the data is reliable, accurate, and relevant to the research question. This involves selecting appropriate methods of collecting data, properly training interviewers or observers, and systematically recording and storing the data. It also includes considering ethical issues related to collecting and handling data, such as obtaining informed consent and ensuring the privacy and confidentiality of the participants.

Data analysis

Analyzing case study research involves making sense of the rich, detailed data to answer the research question. This process can be challenging due to the volume and complexity of case study data. However, a systematic and rigorous approach to analysis can ensure that the findings are credible and meaningful. This section outlines the main steps and considerations in analyzing data in case study research.

Organizing the data

The first step in the analysis is organizing the data. This involves sorting the data into manageable sections, often according to the data source or the theme. This step can also involve transcribing interviews, digitizing physical artifacts, or organizing observational data.

Categorizing and coding the data

Once the data is organized, the next step is to categorize or code the data. This involves identifying common themes, patterns, or concepts in the data and assigning codes to relevant data segments. Coding can be done manually or with the help of software tools, and in either case, qualitative analysis software can greatly facilitate the entire coding process. Coding helps to reduce the data to a set of themes or categories that can be more easily analyzed.

Identifying patterns and themes

After coding the data, the researcher looks for patterns or themes in the coded data. This involves comparing and contrasting the codes and looking for relationships or patterns among them. The identified patterns and themes should help answer the research question.

Interpreting the data

Once patterns and themes have been identified, the next step is to interpret these findings. This involves explaining what the patterns or themes mean in the context of the research question and the case. This interpretation should be grounded in the data, but it can also involve drawing on theoretical concepts or prior research.

Verification of the data

The last step in the analysis is verification. This involves checking the accuracy and consistency of the analysis process and confirming that the findings are supported by the data. This can involve re-checking the original data, checking the consistency of codes, or seeking feedback from research participants or peers.

Like any research method , case study research has its strengths and limitations. Researchers must be aware of these, as they can influence the design, conduct, and interpretation of the study.

Understanding the strengths and limitations of case study research can also guide researchers in deciding whether this approach is suitable for their research question . This section outlines some of the key strengths and limitations of case study research.

Benefits include the following:

• Rich, detailed data: One of the main strengths of case study research is that it can generate rich, detailed data about the case. This can provide a deep understanding of the case and its context, which can be valuable in exploring complex phenomena.
• Flexibility: Case study research is flexible in terms of design , data collection , and analysis . A sufficient degree of flexibility allows the researcher to adapt the study according to the case and the emerging findings.
• Real-world context: Case study research involves studying the case in its real-world context, which can provide valuable insights into the interplay between the case and its context.
• Multiple sources of evidence: Case study research often involves collecting data from multiple sources , which can enhance the robustness and validity of the findings.

On the other hand, researchers should consider the following limitations:

• Generalizability: A common criticism of case study research is that its findings might not be generalizable to other cases due to the specificity and uniqueness of each case.
• Time and resource intensive: Case study research can be time and resource intensive due to the depth of the investigation and the amount of collected data.
• Complexity of analysis: The rich, detailed data generated in case study research can make analyzing the data challenging.
• Subjectivity: Given the nature of case study research, there may be a higher degree of subjectivity in interpreting the data , so researchers need to reflect on this and transparently convey to audiences how the research was conducted.

Being aware of these strengths and limitations can help researchers design and conduct case study research effectively and interpret and report the findings appropriately.

Ready to analyze your data with ATLAS.ti?

See how our intuitive software can draw key insights from your data with a free trial today.

• Case Reports

Qualitative Case Study Methodology: Study Design and Implementation for Novice Researchers

• January 2010
• The Qualitative Report 13(4)

• McMaster University

Abstract and Figures

Discover the world's research

• 25+ million members
• 160+ million publication pages
• 2.3+ billion citations

• Lucie Ramjan

• INT J TECHNOL DES ED

• Edward Domina

• Tammy Borgen-Flood

• Mohamad Ahmad

• Bob Algozzine

• B J Breitmayer
• Y.S. Lincoln
• ADV NURS SCI
• Margarete Sandelowski

• John W. Scheib
• Robert E. Stake
• Thomas J. Richards

• Recruit researchers
• Join for free
• Login Email Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google Welcome back! Please log in. Email · Hint Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google No account? Sign up

Los sitios web oficiales usan .gov

Los sitios web .gov pertenecen a organizaciones gubernamentales oficiales en los Estados Unidos.

Los sitios web seguros .gov usan HTTPS

El candado ( ) o https:// significa que está conectado de forma segura al sitio web .gov. Comparta información confidencial solo en sitios web oficiales y seguros.

CDC Reports A(H5N1) Ferret Study Results

June 7, 2024 —CDC has completed its initial study of the effects of the A(H5N1) bird flu virus from the human case in Texas on ferrets, a model used to assess potential impact on people.

Lo que debe saber

• The A(H5N1) virus from the human case in Texas caused severe illness and death in ferrets. A(H5N1) infection in ferrets has been fatal in the past. This is different from what is seen with seasonal flu, which makes ferrets sick, but is not lethal.
• The A(H5N1) virus from the human case in Texas spread efficiently between ferrets in direct contact but did not spread efficiently between ferrets via respiratory droplets. This is different from what is seen with seasonal flu, which infects 100 % of ferrets via respiratory droplets.
• These findings are not surprising and do not change CDC's risk assessment for most people, which is low. The results do reinforce the need for people who have exposure to infected animals to take precautions and for public health and agriculture communities to continue to work together to prevent the spread of the virus to additional dairy herds and people.

CDC researchers used a ferret model [ 1 ] to better understand the severity of illness and efficiency of transmission of A/Texas/37/2024. For decades, CDC has conducted these types of studies to inform risk assessments of influenza viruses with pandemic potential. CDC used the virus from the human case in Texas which was reported on April 1, 2024, and was associated with sick dairy cow exposure. These are the first publicly reported animal model findings from a virus that infected a human as part of the current multistate outbreak of A(H5N1).

Summary of study findings

The study, completed on Friday, May 31, found that A/Texas/37/2024  virus caused severe disease (100 % lethal) in all six ferrets that were infected. This is consistent with what has been found recently in ferret studies with A(H5N1) viruses, including two published studies conducted in the past year. Ferrets infected with A(H5N1) viruses from mink in Spain ( A/mink/Spain/3691-8_22VIR10586-10/2022 ) and from a person in Chile ( A/Chile/25945/2023 ) had severe illness that was either fatal or required euthanasia.

In terms of spread, the CDC ferret study found that the A/Texas/37/2024 virus spread easily among ferrets (3 of 3 ferrets, or 100 %) in direct contact with infected ferrets (placed in the same enclosure). However, the virus was less capable of spreading by respiratory droplets, which was tested by placing infected ferrets in enclosures next to healthy ferrets (with shared air but without direct contact). In that situation, only 1 of 3 ferrets (33 %) became infected, and there was a one- or two-day delay in transmission with the A/Texas/37/2024 virus compared to transmission with seasonal flu viruses. This suggests that A/Texas/37/2024-like viruses would need to undergo changes to spread efficiently by droplets through the air, such as from coughs and sneezes. CDC is repeating the experiment to confirm the findings and the results of these experiments will be used to inform an ongoing, broader CDC-led influenza risk assessment (IRAT)  on A/Texas/37/2024.

In terms of direct contact spread, the mink virus from Spain caused efficient spread (100 %) among ferrets. The study using the Chile virus found 75 % spread by direct contact among ferrets. While the findings related to respiratory transmission were similar in that there was no efficient respiratory spread, there were differences in terms of whether any respiratory spread was observed or not. The study cited previously using A/mink/Spain/3691-8_22VIR10586-10/2022 found 37,5 % transmission by respiratory droplets. The study using A/Chile/25945/2023 found no transmission by respiratory droplets. The most recent CDC findings are more consistent with the findings with the mink virus from Spain than the virus from Chile. (Additional information about ferret transmission findings with avian influenza is available below.)

Conclusion and risk assessment

Taken together, these findings underscore that the A(H5N1) viruses spreading in poultry, dairy cows, and other animals with sporadic human infections pose a serious potential public health risk and could cause serious illness in people. While the three cases of A(H5N1) in the United States have been mild, it is possible that there will be serious illnesses among people.

Findings from this study are largely consistent with recent A(H5N1) studies in ferrets, as well as past reports of serious human illness resulting from this virus. These findings also suggest; however, that current A(H5N1) viruses would need to undergo genetic changes to spread more easily via respiratory droplets, which is reassuring. Efficient respiratory droplet spread, like what is seen with seasonal influenza viruses, is needed for sustained person-to-person spread to happen. These findings do not change CDC's immediate risk assessment for the general public who do not have animal exposures, which is low.

Respiratory droplet spread compared

There have been several prior respiratory droplet spread in ferrets with avian influenza viruses. Selected studies:

• A study done using the avian influenza A(H7N9) virus (which has the highest pandemic risk assessment score  sobre herramienta de evaluación de riesgo de influenza (IRAT) de los CDC ) found that “A/Hong Kong/125/2017” spread easily among ferrets in the same enclosure but only 1 of 3 ferrets in the adjacent enclosure became via respiratory droplets in that study.
• A 2006 CDC study summarized results of a ferret study on A/Hong Kong/486/97 , an A(H5N1) virus isolated from a human case in 1997. That study found respiratory droplet spread occurred in 2 of the 3 ferrets (66 %). At that time, A(H5N1) viruses had caused probable person-to-person spread. That older 1997 A(H5N1) virus did not emerge to spread efficiently among people. Person-to-person spread has not been observed with A(H5N1) viruses since 2007.
• The previously mentioned 2024 study evaluated an A(H5N1) virus that caused an outbreak among mink at a mink farm in Spain (“ A/mink/Spain/3691-8_22VIR10586-10/2022 ") and found that respiratory droplet spread occurred in 3 out of 8 ferrets (37,5 %). Of note, this study used a side-to-side airflow methodology; by contrast, CDC uses a top-to-bottom airflow approach. Despite the differences in methods, the results from this study were similar to those found in the CDC study.
• El most recently published CDC A(H5N1) ferret study was conducted on a virus from a human A(H5N1) case in Chile. Investigators found efficient direct contact spread, but no respiratory droplet spread.
• On the lowest end of the pandemic risk assessment scale, another ferret study looked at the effects of a low pathogenic avian influenza A(H7N9) virus (A/chicken/Tennessee/17-007431-3/2017) isolated from a multistate poultry outbreak in the United States with no human infections. There was inefficient spread in the direct contact model, with only 1 of 3 co-housed ferrets becoming infected. Because spread in the direct contact model was inefficient, spread by respiratory droplets was not studied.

Background on Ferret Studies

Ferrets are considered the best small mammal for studying influenza virus infection and transmission and are commonly used as a tool to inform public health risk assessments of emerging influenza viruses. In these studies, ferrets are experimentally infected and followed to assess severity of illness. To test the ability of the virus to spread, infected ferrets are exposed to healthy ferrets in different settings. Understanding the disease characteristics of novel influenza viruses and their capacity to spread is a critical component of any public health response.

[1] These studies are approved by the Institutional Animal Care and Use Committee of the Centers for Disease Control and Prevention.

Descargo de responsabilidad: Es posible que en este sitio encuentre algunos enlaces que le lleven a contenido disponible sólo en inglés. Además, el contenido que se ha traducido del inglés se actualiza a menudo , lo cual puede causar la aparición temporal de algunas partes en ese idioma hasta que se termine de traducir (generalmente en 24 horas). Llame al 1-800-CDC-INFO si tiene preguntas sobre la influenza estacional, cuyas respuestas no ha encontrado en este sitio. Agradecemos su paciencia.

Para recibir por correo electrónico las actualizaciones de esta página, ingrese su dirección:

• Porcina/variante
• Influenza en animales

Notificación de salida del sitio / Política de descargo de responsabilidad

• Los Centros para el Control y la Prevención de Enfermedades (CDC) no pueden dar fe sobre la precisión de un sitio web que no pertenece al Gobierno Federal. 
• Los enlaces a sitios web que no pertenecen al Gobierno Federal no están avalados por los CDC, ni tampoco por ninguno de los empleados de los patrocinadores ni la información y los productos presentados en el sitio.
• Usted estará sujeto a la política de privacidad del sitio web de destino cuando siga el enlace.
• Los CDC no son responsables del cumplimiento de la Sección 508 (accesibilidad) en otros sitios web federales o privados.

• Share full article

Advertisement

Supported by

Cancer Researchers Begin Large Long-Term Study of Black Women

The American Cancer Society hopes to enroll 100,000 women and follow them for three decades to discover what’s causing higher case and death rates.

By Roni Caryn Rabin

The American Cancer Society has begun an ambitious, far-reaching study focusing on a population that has long been overlooked, despite high rates of cancer and cancer-related deaths: Black women.

The initiative, called VOICES of Black Women, is believed to be the first long-term population study of its size to zero in specifically on the factors driving cancer prevalence and deaths among Black women.

Researchers plan to enroll 100,000 Black women without cancer, ages 25 to 55, in Washington, D.C., and 20 states where most Black American women reside. The subjects will be surveyed twice a year about their behaviors, environmental exposures and life experiences, and followed for 30 years; any cancers they may develop will be tracked.

Similar studies by the American Cancer Society in the past yielded critical lessons about what causes cancer — for example, identifying cigarette smoking as a cause of lung cancer and linking red- and processed-meat consumption to increased risk of colon cancer.

While some earlier studies have included large numbers of Black women, the research wasn’t able to “hone in on the specific drivers of cancer in that population,” said Dr. Alpa Patel, senior vice president of population science at the society and co-principal investigator of the VOICES study, along with Dr. Lauren McCullough.

“In general population studies, you tend to ask questions that are going to be applicable to the majority of the population,” she said. “So going deeply into the lived experiences of discrimination, bias, systematic issues, environmental influences and cultural aspects of health-related behaviors, and how the narratives around them are shaped in different populations — those types of unique aspects of understanding what contributes to cancer in a population weren’t being asked about.”

We are having trouble retrieving the article content.

Please enable JavaScript in your browser settings.

Thank you for your patience while we verify access. If you are in Reader mode please exit and  log into  your Times account, or  subscribe  for all of The Times.

Thank you for your patience while we verify access.

Already a subscriber?  Log in .

Want all of The Times?  Subscribe .

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Technical Report: Highly Pathogenic Avian Influenza A(H5N1) Viruses

Updated June 5, 2024

This report provides an update to the April 26, 2024, report to include three additional sporadic human cases (1 in Australia and 2 in the United States) and recent activity in wild birds, poultry, and other animals, including the multi-state outbreak in U.S. dairy cattle, and updated information on monitoring for human infections with highly pathogenic avian influenza A(H5N1) virus infections in the United States. CDC continues to believe that the overall risk to human health associated with the ongoing outbreaks of highly pathogenic avian influenza A(H5N1) viruses has not changed and remains low to the U.S. general public at this time.

Executive summary

A small number of sporadic human cases of highly pathogenic avian influenza (HPAI) A(H5N1) have been identified worldwide since 2022, amidst a panzootic of these viruses in wild birds and poultry. Nearly all   human cases reported globally since 2022 were associated with poultry exposures, and no cases of human-to-human transmission of HPAI A(H5N1) virus have been identified. Three human cases of HPAI A(H5N1) virus infection in dairy farm workers were reported during April and May 2024 in the United States and were attributed to exposures to dairy cattle. One previous human case was detected in the United States in 2022 during poultry culling work. In a few cases, the source of exposure to HPAI A(H5N1) virus was unknown. To date, HPAI A(H5N1) viruses currently circulating most commonly in birds and poultry, with spillover to mammals and humans, do not have the ability to efficiently bind to receptors that predominate in the human upper respiratory tract. This is a major reason why the current risk to the public from HPAI A(H5N1) viruses remains low. However, because of the potential for influenza viruses to rapidly evolve and the wide global prevalence of HPAI A(H5N1) viruses in wild birds and poultry outbreaks and following the identification and spread among dairy cattle in the United States, additional sporadic human infections are anticipated. Continued comprehensive surveillance of these viruses in wild birds, poultry, mammals, and people worldwide, and frequent reassessments are critical to determine the public health risk, along with ongoing preparedness efforts.

• CDC is actively working on the domestic outbreak of clade 2.3.4.4b HPAI A(H5N1) viruses in wild birds, with outbreaks in poultry and backyard flocks, and infections of other animals, including dairy cattle. Response activities include conducting surveillance among people with relevant exposures and preparing for the possibility that contemporary HPAI A(H5N1) viruses gain the ability for increased transmissibility to and among people.
• CDC, along with state and local public health partners, continues to monitor people in the United States who have been exposed to infected birds, poultry, dairy cattle, or other animals for 10 days after their last exposure. To date, more than 9,000 people in 52 jurisdictions have been monitored since 2022.
• H5 candidate vaccine viruses (CVVs) produced by CDC are expected to provide good protection against current clade 2.3.4.4b HPAI A(H5N1) viruses detected in birds and mammals, including dairy cattle. These H5 CVVs are available and have been shared with vaccine manufacturers.
• Because influenza viruses are constantly changing, CDC performs ongoing analyses of HPAI A(H5N1) viruses to identify genetic changes that might allow for: spread more easily to and between people, more serious illness in people, reduced susceptibility to antivirals, changes in the sensitivity of diagnostic assays, or reduced neutralization of the virus by vaccine induced antibodies. To date, few genetic changes of public health concern have been identified in HPAI A(H5N1) viruses circulating in wild birds and poultry worldwide and detected in dairy cattle in the United States.
• Currently, HPAI A(H5N1) viruses circulating in birds and U.S. dairy cattle are believed to pose a low risk to the general public in the United States; however, people who have job-related or recreational exposures to infected birds or mammals are at higher risk of infection and should take appropriate precautions outlined in CDC guidance .
• Comprehensive surveillance and readiness efforts are ongoing, and CDC continually takes preparedness measures to be ready in case the risk to people from HPAI A(H5N1) virus or from other novel influenza A viruses changes.

HPAI A(H5N1) viruses in wild birds and poultry

Hpai a(h5n1) virus infections among mammals, human cases of a(h5n1), table 1. global reported a(h5n1) human cases, january 2022 through june 4, 2024, figure 1. epidemic curve of human cases of a(h5n1) by illness onset date, 1997-2024 by country (n=912), monitoring of persons exposed to hpai a(h5n1) viruses in the united states, u.s. influenza surveillance for human infections with novel influenza a viruses, including hpai a(h5n1) virus, cdc and u.s. government preparedness activities, limitations of the report, conclusions, previous h5n1 technical reports.

Since 2005, HPAI A(H5N1) viruses have undergone extensive genetic diversification including the formation of hundreds of genotypes following reassortment with other avian influenza A viruses. Clade 2.3.4.4b HPAI A(H5N1) viruses emerged in 2020 and were introduced into North America in late 2021 [1,2] and spread to Central and South America, resulting in wild bird infections (in terrestrial, seabird, shorebird, and migratory species) and poultry outbreaks in many countries [3-8]. In Fall 2023, the first detections of HPAI A(H5N1) viruses in birds in the Antarctica region were reported [9]. Globally, this 2.3.4.4b clade of HPAI A(H5N1) viruses has become widespread causing record numbers of bird outbreaks in wild, backyard, village, and farm birds.

In the United States,  USDA APHIS monitors for avian influenza A viruses in wild, commercial, and backyard birds. From January 2022 through June 4, 2024, APHIS reported HPAI A(H5)/A(H5N1) virus detections in more than 9,300 wild birds in 50 states or territories and more than 1,140 commercial and backyard flocks affecting more than 96.5 million birds in 48 states.

Sporadic HPAI A(H5N1) virus infections of mammals have been reported since 2003-2004 during HPAI A(H5N1) virus outbreaks in poultry or wild birds [ 10-12 ]. HPAI A(H5) viruses are known to occasionally infect mammals that eat (presumably infected) birds or poultry and mammals that are exposed to environments with a high concentration of virus.

Globally, sporadic HPAI A(H5N1) virus infections and outbreaks in a wide range of mammal species were reported by countries in different regions of the world to the  World Organisation for Animal Health  since January 2022. HPAI A(H5N1) virus infections of mammals have included a polar bear in the United States , farmed mink in  Spain  and  farmed foxes and other mammals in Finland,  harbor and gray seals in the United States,  sea lions in Peru , Argentina , and  Chile , elephant seals in Argentina , baby goats in the United States , alpacas in the United States , and domesticated pets such  as cats in Poland ,  France , South Korea, and the  United States , and dogs in  Italy . During March through June 4, 2024, the United States reported HPAI A(H5N1) virus infections of dairy cows at more than 80 farms in nine states . Spread from dairy farm-to-dairy farm was reported , and routes of transmission are under investigation. In the United States, from May 2022 through June 4, 2024, USDA APHIS reported HPAI A(H5N1) virus detections in wild mammals comprising a wide range of different species in 31 states.

Experimental studies have used the ferret model to assess transmissibility and disease severity of HPAI A(H5N1) clade 2.3.4.4b viruses. One study used a recombinant virus that was based upon a virus isolated from a mink during a mink farm outbreak in Spain in 2022. When ferrets were experimentally infected with the recombinant HPAI A(H5N1) clade 2.3.4.4b virus, transmission to co-housed susceptible ferrets through direct contact was observed, but transmission through respiratory droplets to separated ferrets was less efficient [ 13 ]. In another study, ferrets experimentally infected with a HPAI A(H5N1) clade 2.3.4.4b virus isolated from a human case in Chile in 2023 transmitted to susceptible ferrets by direct contact but not through respiratory droplets or fomites [ 14 ]. Importantly, in this study, all experimentally infected ferrets experienced fatal disease [ 14 ].

While HPAI A(H5N1) viruses are currently circulating widely in wild birds and poultry in many geographic regions, relatively few human cases of HPAI A(H5N1) have been reported in recent years [ Figure 1 ]. From January 2022 through June 4, 2024, 29 sporadic human cases of A(H5N1) were reported from nine countries, including 15 cases of severe or critical illness, and seven deaths, six cases of mild illness, and eight asymptomatic cases [ Table 1 ].

One human case of HPAI A(H5N1) was reported in the United States in April 2022 while exposed to poultry . The individual reported fatigue without other symptoms during poultry culling activities at a farm with confirmed HPAI A(H5N1) virus infection of poultry, and a low level of A(H5N1) viral RNA was detected in a single upper respiratory tract specimen. It is possible that detection of A(H5N1) viral RNA resulted from deposition of non-infectious viral material in the upper respiratory tract of the individual and did not represent true infection, similar to the environmental contamination that was attributed to two asymptomatic cases in poultry workers reported in Spain [15]. Transient environmental deposition may also explain the detection of A(H5N1) viral RNA in cases of A(H5N1) reported in asymptomatic poultry workers in the U.K. that were investigated as part of a surveillance study [ 16-18 ].

One human case of A(H5N1) was reported in the United States in April 2024 in an adult dairy farm worker . The individual worked at a farm with sick cows presumed to be infected with HPAI A(H5N1) virus in an area in which cows at other dairy farms were confirmed with HPAI A(H5N1) virus infection in Texas [ 19 ]. The worker only experienced conjunctivitis without any other signs or symptoms of illness. HPAI A(H5N1) virus was detected in conjunctival and nasopharyngeal swab specimens, and sequence data confirmed clade 2.3.4.4b, genotype B3.13 , and close genetic relatedness to viruses detected in other dairy cattle farms in Texas. Oseltamivir was provided for treatment of the individual and for post-exposure prophylaxis of household contacts. Conjunctivitis resolved without other symptoms and household contacts remained well [ 19 ]. No additional human cases related to this case were detected.

One human case of A(H5N1) was reported in the United States in May 2024 in an adult dairy farm worker . The individual worked at a farm with sick cows confirmed to be infected with HPAI A(H5N1) virus in Michigan. The worker only experienced conjunctivitis. HPAI A(H5N1) virus was detected in a conjunctival swab specimen, and sequence data confirmed clade 2.3.4.4b, genotype B3.13, closely related to genotype B3.13 viruses detected in dairy cows were sequenced and shared by USDA. Oseltamivir was offered to the worker and household contacts. No additional human cases related to this case were detected.

One human case of A(H5N1) was reported in the United States in May 2024 in an adult farm worker . The individual worked at a farm with sick cows confirmed to be infected with HPAI A(H5N1) virus in Michigan. The worker experienced upper respiratory symptoms. HPAI A(H5N1) virus was detected in a nasopharyngeal swab specimen, and partial HA and full-length NA sequence data confirmed clade 2.3.4.4b, closely related to viruses detected in dairy cows. Oseltamivir was provided for treatment of the individual and for post-exposure prophylaxis of household contacts. No additional human cases related to this case were detected.

Most human cases of HPAI A(H5N1) reported since January 2022 had recent exposure to sick or dead poultry, and no cases of human-to-human HPAI A(H5N1) virus transmission were identified. Fifteen cases (8 children, 7 adults) had severe or critical illness, and seven (3 children, 4 adults) died. Fourteen cases were associated with clade 2.3.4.4b HPAI A(H5N1) virus in 7 countries, and eleven cases were associated or assumed to be associated with clade 2.3.2.1c HPAI A(H5N1) viruses in Cambodia and Vietnam. Of the 7 cases of clade 2.3.4.4b HPAI A(H5N1) virus infections that were symptomatic (conjunctivitis or respiratory illness), 4 had severe or critical illness (57%) and one of the 4 died (25%). One case of severe illness in a child in Australia in March 2024 with recent travel history to India was associated with clade 2.3.2.1a HPAI A(H5N1) virus. None of the HPAI A(H5N1) virus genetic sequences contained any known markers of reduced susceptibility to currently recommended FDA-approved influenza antiviral medications.

Genetic data have revealed that when some mammals, including humans, are infected with HPAI A(H5N1) virus, the virus may undergo intra-host evolution resulting in genetic changes that allow more efficient replication in the lower respiratory tract or extrapulmonary tissues [20-22]. Some HPAI A(H5N1) viruses that have infected humans in 2023 and 2024 have also shown the same or similar genetic changes as those identified in wild and captive mammals. For example, sequencing of viruses from specimens collected from human cases identified in Cambodia during October and November 2023, in Vietnam in 2024 and in the dairy farm worker in Texas in April 2024 revealed the presence of the polymerase basic protein 2 (PB2) 627K marker, which is often associated with mammalian adaptation during infection [ 23 ]. The HPAI A(H5N1) virus sequenced from the human case in Chile identified in March 2023 had different genetic changes (PB2 591K and 701N) that are also associated with mammalian adaptation [ 24 ]. Sequencing of the HPAI A(H5N1) virus from the first dairy farm worker case in Michigan did not identify the PB2 627K marker but revealed the presence of PB2 M631L, that is known to be associated with viral adaptation to mammalian hosts, and which has been detected in 99% of dairy cow sequences but only sporadically in birds [25]. PB2 M631L has been identified as resulting in enhancement of virus replication and disease severity in mice during studies with avian influenza A(H10N7) viruses [ 26 ]. The remainder of the genome of A/Michigan/90/2024 was closely related to sequences detected in infected dairy cows and strongly suggests cow-to-human transmission.

Although these genetic changes may impact mammalian disease outcome, they have not been associated with enhanced transmissibility of the virus to humans. HPAI A(H5N1) viruses preferentially bind to α2,3-linked sialic acid receptors that are prevalent in the respiratory and intestinal tracts of waterfowl and poultry, and in the human lower respiratory tract but do not currently have the ability to easily infect cells and bind efficiently to α2,6-linked sialic acid receptors that are predominant in the human upper respiratory tract [ 2 ].  The ability to bind efficiently to α2,6-linked sialic acid receptors would be needed to increase the risk of transmission to people [ 27,28 ]. Using recombinantly expressed hemagglutinin, analysis of receptor binding of the HPAI A(H5N1) virus identified in the dairy farm worker from Texas (A/Texas/37/2024) revealed binding only to avian-type α2,3-linked sialic acid receptors.

Since 1997, a total of 912 sporadic human A(H5N1) cases have been reported from 24 countries, caused by different HPAI A(H5N1) virus clades [29,30], with a cumulative case fatality proportion of greater than 50%. Human A(H5N1) cases peaked in 2006 (115 cases, 9 countries) and 2015 (145 cases, 4 countries) primarily due to a large epidemic in Egypt with 136 cases [ Figure 1 ].

Nearly all reported human A(H5N1) cases had poultry exposures, such as to sick or dead poultry or visiting live poultry markets. Rare, limited, and non-sustained instances of human-to-human HPAI A(H5N1) virus transmission likely occurred in a small number of family members following prolonged, close unprotected exposure with a symptomatic case-patient during 2004-2007 in multiple countries [ 31-34 ].

Although few human cases have occurred recently, given widespread infection among poultry and wild birds, people who have job-related or recreational exposures to infected birds or sick or dead mammals are at higher risk of infection.

CDC, in collaboration with state, territorial, and local public health partners, has monitored people exposed to infected birds and poultry, cattle, or other animals beginning with their first exposure and for 10 days after their last exposure, from February 2022 through June 4, 2024:

• Total monitored: more than 9,000 people in 52 jurisdictions.
• Total illnesses reported among monitored persons: nearly 200 people.
• Number positive for influenza A(H5N1) virus: 3 people (1 additional case was detected in a dairy farm worker not being monitored).

Of the nearly 200 monitored people showing symptoms who were tested for novel influenza A and seasonal influenza viruses along with other respiratory viruses, HPAI A(H5N1) virus was detected in specimens from 3 persons. HPAI A(H5N1) virus genetic material was detected at a low level in a respiratory specimen from one person in Colorado who experienced fatigue without any other illness signs or symptoms while participating in poultry culling activities. HPAI A(H5N1) virus was detected in a conjunctival swab specimen from one person in Michigan who experienced conjunctivitis without any other illness signs or symptoms while working with sick dairy cattle confirmed with HPAI A(H5N1) virus infection. HPAI A(H5N1) virus genetic material was detected in a nasopharyngeal swab specimen from one person in Michigan who experienced acute respiratory illness while working with sick dairy cattle confirmed with HPAI A(H5N1) virus infection. HPAI A(H5N1) virus was detected in conjunctival swab and nasopharyngeal swab specimens in one person in Texas who was not being monitored who experienced conjunctivitis without any other illness signs or symptoms while working with sick dairy cattle presumed to be infected with HPAI A(H5N1) virus. [See above section on “ Human cases of A(H5N1) .”]

Human infection with a novel influenza A virus, including HPAI A(H5N1) virus, is a nationally notifiable condition (case definition: Novel Influenza A Virus Infections 2014 Case Definition | CDC)

Influenza testing is widely available in clinical laboratories and health care facilities. Assays in these settings would detect A(H5N1) virus infections as influenza A virus positive, and a subset of assays would be able to also determine that they are not influenza A virus subtypes H1 or H3 that commonly circulate among humans. Specimens from persons possibly exposed to HPAI A(H5N1) virus or that test positive for influenza A virus but negative for A(H1) and A(H3) subtypes should be forwarded to the appropriate state or local public health laboratory for further testing. CDC should be notified immediately in the event that any clinical specimens from suspected cases test positive for a novel influenza A virus or if the testing results of clinical specimens from suspected cases are inconclusive . Currently, CDC recommends testing for HPAI A(H5N1) virus infection in symptomatic persons with relevant exposure history . Human infection with a novel influenza A virus is a nationally notifiable condition, and currently confirmatory testing is being done only at CDC. Very few specimens have been submitted to CDC for H5 testing since January 2022.

• Seasonal influenza virus detection assays that can also detect novel influenza A viruses are used in 128 public health laboratories in all 50 U.S states.
• Specific diagnostic assays to detect A(H5) viruses are available at 99 public health laboratories in all 50 states.

Per long-standing protocols, upon detection of a virus that tests positive for influenza A virus but is negative for human H1 or H3 genes, the public health laboratory will rapidly contact CDC and ship the specimen to CDC.  Specimens that are influenza A virus positive but negative for human H1 or H3 genes may also be tested for H5 by state public health laboratories and are rapidly sent to CDC for a diagnostic result.  An investigation of the case will be initiated, and a case report form will be submitted to CDC through the novel influenza A reporting module.

Global surveillance and rapid response to human infections

CDC’s Influenza Division supports surveillance in live bird markets, backyard farms, and wild birds and/or their environments in Bangladesh, Cambodia, China, Guatemala, Kenya, Lao PDR, Peru, Thailand, and Vietnam. Surveillance data highlight the high prevalence and wide range of avian influenza A viruses in birds and help to describe the changing epidemiology of avian influenza A viruses. In 2022, the Influenza Division tracked more than 50 human infections with avian influenza A viruses reported to the WHO from seven countries in four WHO regions. Most recently, CDC Influenza Division field staff assisted in the rapid response investigations of four human A(H5N1) cases in Cambodia during October and November 2023.

CDC systems that monitor national, state, and local level influenza data are being used during the current HPAI A(H5N1) virus situation .

• Influenza virus and illness activity are monitored year-round through a collaborative effort between CDC and many partners, including state, local, and territorial health departments; public health and clinical laboratories; clinics; and emergency departments.
• Human cases of novel influenza A virus infection, which are human infections with non-human influenza A viruses that are different from currently spreading seasonal human influenza A viruses, are nationally notifiable. Every identified case is investigated and reported to CDC.
• CDC is actively looking at multiple influenza indicators during the current situation to monitor for HPAI A(H5N1) viruses, including looking for spread of the virus to, or among people, in jurisdictions where the virus has been identified in people or animals.

Virological assessments

Because influenza viruses have a high error rate during replication and rapidly evolve, CDC continually conducts genetic analyses of viruses to identify changes that may impact virus phenotypes such as antigenicity, antiviral susceptibility, transmissibility, and/or pathogenesis. Genetic analysis also is performed to assess changes that may impact diagnostic test performance.

Diagnostics

Various CDC influenza virus diagnostic real time RT-PCR tests detect typical human (seasonal) viruses or novel influenza A viruses (e.g., H5, H7) that may infect people through zoonotic transmission.  These diagnostic tests are used in all 50 U.S states and globally. Additionally, there are CDC diagnostic tests that specifically detect A(H5) viruses, which are available in public health laboratories in all 50 U.S. states and international laboratories.

Most commercial assays used for human influenza virus testing are likely to detect HPAI A(H5N1) viruses as influenza A viruses because they target conserved proteins.

Candidate vaccine virus development

The development of influenza candidate vaccine viruses (CVVs), coordinated by WHO, remains an essential component of the overall global strategy for influenza pandemic preparedness. A library of H5 candidate vaccine viruses (CVV) has been produced with additional recommendations for development during bi-annual vaccine consultation meetings (See Table and  https://www.who.int/teams/global-influenza-programme/vaccines/who-recommendations/zoonotic-influenza-viruses-and-candidate-vaccine-viruses ). The  CDC Influenza Risk Assessment Tool  is also used to help  prioritize HPAI A(H5) viruses for development of CVVs .

This report is subject to the following limitations. First, the number of reported human infections with HPAI A(H5N1) viruses is small. Conclusions regarding virus characterization analyses, transmissibility from animals to people, transmissibility among people, and clinical spectrum of illness in people should be interpreted in light of this small number. Second, detailed exposure information was not available for all exposed persons or for those being monitored for illness after exposure to HPAI A(H5N1) virus-infected wild birds, poultry, backyard flocks, and other animals, including dairy cattle in the United States. As of the date of this report, understanding of HPAI A(H5N1) virus infections of cattle is very limited. Thus, we are not able to assess the impact of exposure variables such as duration of exposure, nature of exposure (e.g., direct vs. indirect contact), and use of personal protective equipment on infection risk among persons with confirmed HPAI A(H5N1) virus infection or those being monitored after exposures to any animals confirmed or suspected with HPAI A(H5N1) virus infection.

• To date, CDC analyses of clade 2.3.4.4b HPAI A(H5N1) viruses detected in wild birds, poultry, and sporadically in mammals, including in dairy cattle, since late 2021 indicate that these viruses all have a high degree of genetic identity with each other and no significant mammalian adaptive substitutions, insertions, or deletions have been identified, particularly in the HA gene, which is important for zoonotic and subsequent human-to-human transmission.
• Considering the high prevalence of HPAI A(H5N1) viruses in wild birds and poultry worldwide, spillover into mammals (including carnivores that may feed on infected animals) and additional sporadic zoonotic infections are anticipated among people with exposures to infected sick or dead poultry, wild birds, or other infected animals.
• Clade 2.3.4.4b HPAI A(H5N1) viruses currently circulating in wild birds and poultry worldwide lack the ability to preferentially bind to the types of sialic acid receptors that are predominant in the upper respiratory tract of humans and therefore do not currently have the ability to easily infect or transmit among people.
• Despite extensive worldwide spread of HPAI A(H5N1) viruses in wild birds and poultry in recent years, only a small number of sporadic human infections with clade 2.3.4.4b or clade 2.3.2.1c viruses have been reported since 2022; nearly all cases had recent exposure to poultry and no cases of human-to-human transmission of HPAI A(H5N1) virus have been identified.
• In 2024, 3 sporadic epidemiologically unrelated human infections with clade 2.3.4.4b HPAI A(H5N1) viruses have been detected in U.S. dairy farm workers exposed to cows presumed or confirmed to be infected with HPAI A(H5N1) virus. All 3 workers experienced clinically mild illnesses and recovered fully. For cases with genome sequencing available, no known markers of reduced susceptibility to currently recommended FDA-approved influenza antiviral medications were detected, and no changes to receptor binding tropism were identified that would increase the risk of transmission to and among people. Given the ongoing outbreak of clade 2.3.4.4b HPAI A(H5N1) viruses among dairy cattle in 9 states to date, additional sporadic human infections in exposed dairy farm workers are anticipated.

While CDC’s assessment is that the current overall threat of clade 2.3.4.4b HPAI A(H5N1) viruses to public health is low, the widespread geographic prevalence of infected birds and poultry, with spillover into a wide range of mammal species, and ongoing spread of clade 2.3.4.4b viruses, including among dairy cattle in the United States, raises the potential for more  mammals to be infected that could result in viral evolution or reassortment events which might change the current risk assessment. Similar to human infections with HPAI A(H5N1) viruses since 1997, sporadic clade 2.3.4.4b HPAI A(H5N1) virus infections have resulted in a wide clinical spectrum, ranging from conjunctivitis and acute respiratory illness to severe and critical illness with fatal outcome. Additional sporadic human infections with HPAI A(H5N1) viruses with a wide clinical spectrum (mild to severe and critical illness) resulting from exposure to infected animals are anticipated worldwide. Vigilance and ongoing surveillance of HPAI A(H5N1) viruses circulating in wild birds, poultry, and in mammals and infected persons worldwide is critical to monitor the public health risk and to detect genetic changes (particularly in the HA gene) that would change CDC’s risk assessment.

• Bevins SN, Shriner SA, Cumbee JC Jr, Dilione KE, Douglass KE, Ellis JW et al. Intercontinental Movement of Highly Pathogenic Avian Influenza A(H5N1) Clade 2.3.4.4 Virus to the United States, 2021. Emerg Infect Dis. 2022 May;28(5):1006-1011.
• Kandeil A, Patton C, Jones JC, Jeevan T, Harrington WN, Trifkovic S et al. Rapid evolution of A(H5N1) influenza viruses after intercontinental spread to North America. Nat Commun. 2023 May 29;14(1):3082.
• World Health Organization. Antigenic and genetic characteristics of zoonotic influenza A viruses and development of candidate vaccine viruses for pandemic preparedness. February 2023.  https://cdn.who.int/media/docs/default-source/influenza/who-influenza-recommendations/vcm-northern-hemisphere-recommendation-2023-2024/20230224_zoonotic_recommendations.pdf?sfvrsn=38c739fa_4  [1.17 MB, 12 pages]
• European Food Safety Authority, European Centre for Disease Prevention and Control, European Union Reference Laboratory for Avian Influenza. Avian influenza overview March – April 2023. EFSA J 2023 Jun 7;21(6):e08039.
• Ariyama N, Pardo-Roa C, Muñoz G, Aguayo C, Ávila C, Mathieu C, Almonacid LI, Medina RA, Brito B, Johow M, Neira V. Highly Pathogenic Avian Influenza A(H5N1) Clade 2.3.4.4b Virus in Wild Birds, Chile. Emerg Infect Dis. 2023 Sep;29(9):1842-1845. Doi: 10.3201/eid2909.230067. Epub 2023 Jul 24. PMID: 37487166; PMCID: PMC10461661
• Leguia M, Garcia-Glaessner A, Muñoz-Saavedra B, Juarez D, Barrera P, Calvo-Mac C, Jara J, Silva W, Ploog K, Amaro L, Colchao-Claux P, Johnson CK, Uhart MM, Nelson MI, Lescano J. Highly pathogenic avian influenza A (H5N1) in marine mammals and seabirds in Peru. Nat Commun. 2023 Sep 7;14(1):5489. Doi: 10.1038/s41467-023-41182-0. PMID: 37679333; PMCID: PMC10484921.
• Pan American Health Organization. Epidemiological Update Outbreaks of avian influenza caused by influenza A(H5N1) in the Region of the Americas. 9 August 2023.  https://www.paho.org/en/documents/epidemiological-update-outbreaks-avian-influenza-caused-influenza-ah5n1-region-americas-0
• Global Avian Influenza Viruses with Zoonotic Potential situation update, 28 March 2024. https://www.fao.org/animal-health/situation-updates/global-aiv-with-zoonotic-potential/en
• World Organisation for Animal Health. Wildlife under threat as avian influenza reaches Antarctica. 13 March 2024. https://www.woah.org/en/wildlife-under-threat-as-avian-influenza-reaches-antarctica/
• Keawcharoen J, Oraveerakul K, Kuiken T, Fouchier RAM, Amonsin A, Payungporn S et al. Avian influenza H5N1 in tigers and leopards. Emerg Infect Dis. 2004 Dec;10(12):2189-91.
• Songserm T, Amonsin A, Jam-on R, Sae-Heng N, Pariyothorn N, Payungporn S et al. Fatal avian influenza A H5N1 in a dog. Emerg Infect Dis. 2006 Nov;12(11):1744-7.
• Songserm T, Amonsin A, Jam-on R, Sae-Heng N, Meemak N, Pariyothorn N et al. Avian influenza H5N1 in naturally infected domestic cat. Emerg Infect Dis. 2006 Apr;12(4):681-3.
• Restori KH, Septer KM, Field CJ, Patel DR, VanInsberghe D, Raghunathan V, Lowen AC, Sutton TC. Risk assessment of a highly pathogenic H5N1 influenza virus from mink. Nat Commun. 2024 May 15;15(1):4112. doi: 10.1038/s41467-024-48475-y. https://pubmed.ncbi.nlm.nih.gov/38750016/
• Pulit-Penaloza JA, Brock N, Belser JA, Sun X, Pappas C, Kieran TJ, Thakur PB, Zeng H, Cui D, Frederick J, Fasce R, Tumpey TM, Maines TR. Highly pathogenic avian influenza A(H5N1) virus of clade 2.3.4.4b isolated from a human case in Chile causes fatal disease and transmits between co-housed ferrets. Emerg Microbes Infect. 2024 Mar 17:2332667. doi: 10.1080/22221751.2024.2332667. Online ahead of print. https://pubmed.ncbi.nlm.nih.gov/38494746/
• Aznar E, Casas I, González Praetorius A, Ruano Ramos MJ, Pozo F, Sierra Moros MJ et al.Influenza A(H5N1) detection in two asymptomatic poultry farm workers in Spain, September to October 2022: suspected environmental contamination. Euro Surveill. 2023 Feb;28(8):2300107. Doi: 10.2807/1560-7917.ES.2023.28.8.2300107. https://pubmed.ncbi.nlm.nih.gov/36820643/
• World Health Organization. Avian Influenza A(H5N1) – United Kingdom of Great Britain and Northern Ireland. 30 May 2023. Accessed at:  https://www.who.int/emergencies/disease-outbreak-news/item/2023-DON468
• Capelastegui F, Smith J, Kumbang J, Humphreys C, Padfield S, Turner J et al. Pilot of asymptomatic swabbing of humans following exposures to confirmed avian influenza A(H5) in avian species in England, 2021/2022. Influenza Other Respir Viruses. 2023 Aug 23;17(8):e13187. Doi: 10.1111/irv.13187  https://pubmed.ncbi.nlm.nih.gov/37638093/
• UK Health Security Agency. Investigation into the risk to human health of avian influenza (influenza A H5N1) in England: technical briefing 5. Updated 14 July 2023. Accessed at:  Investigation into the risk to human health of avian influenza (influenza A H5N1) in England: technical briefing 5 – GOV.UK (www.gov.uk)
• Uyeki TM, Milton S, Abdul Hamid C, Reinoso Webb C, Presley SM, Shetty V, Rollo SN, Martinez DL, Rai S, Gonzales ER, Kniss KL, Jang Y, Frederick JC, De La Cruz JA, Liddell J, Di H, Kirby MK, Barnes JR, Davis CT. Highly Pathogenic Avian Influenza A(H5N1) Virus Infection in a Dairy Farm Worker. N Engl J Med. 2024 May 3. doi: 10.1056/NEJMc2405371. Online ahead of print.
• Gabriel G, Czudai-Matwich V, Klenk HD. Adaptive mutations in the H5N1 polymerase complex. Virus Res. 2013 Dec 5;178(1):53-62. Doi: 10.1016/j.virusres.2013.05.010.
• Bogs J, Kalthoff D, Veits J, Pavlova S, Schwemmle M, Mänz B et al. Reversion of PB2-627E to -627K during replication of an H5N1 Clade 2.2 virus in mammalian hosts depends on the origin of the nucleoprotein. J Virol. 2011 Oct;85(20):10691-8. Doi: 10.1128/JVI.00786-11.
• Agüero M, Monne I, Sánchez A, Zecchin B, Fusaro A, Ruano MJ et al. Highly pathogenic avian influenza A(H5N1) virus infection in farmed minks, Spain, October 2022. Euro Surveill. 2023 Jan;28(3):2300001. Doi: 10.2807/1560-7917.ES.2023.28.3.2300001.
• CDC. Technical Update: Summary Analysis of Genetic Sequences of Highly Pathogenic Avian Influenza A(H5N1) Viruses in Texas. April 2, 2024. Accessed at: https://www.cdc.gov/flu/avianflu/spotlights/2023-2024/h5n1-analysis-texas.htm
• CDC. Human Infection with highly pathogenic avian influenza A(H5N1) virus in Chile. Accessed at: https://www.cdc.gov/flu/avianflu/spotlights/2022-2023/chile-first-case-h5n1-addendum.htm
• Nguyen TQ, Hutter C, Markin A, Thomas M, Lantz K, Killian ML, Janzen GM, Vijendran S, Wagle S, Inderski B, Magstadt DR, Li G, Diel DG, Frye EA, Dimitrov KM, Swinford AK, Thompson AC, Snevik KR, Suarez DL, Spackman E, Lakin SM, Ahola SC, Johnson KR, Baker AL, Robbe-Austerman S, Torchetti MK, Anderson TK. Emergence and interstate spread of highly pathogenic avian influenza A(H5N1) in dairy cattle bioRxiv 2024.05.01.591751; doi: https://doi.org/10.1101/2024.05.01.591751
• Zhang X, Xu G, Wang C, Jiang M, Gao W, Wang M, Sun H, Sun Y, Chang KC, Liu J, Pu J. Enhanced pathogenicity and neurotropism of mouse-adapted H10N7 influenza virus are mediated by novel PB2 and NA mutations. J Gen Virol. 2017 Jun;98(6):1185-1195. doi: 10.1099/jgv.0.000770. Epub 2017 Jun 8. PMID: 28597818.
• Van Riel D, den Bakker MA, Leijten LM, Chutinimitkul S, Munster VJ, de Wit E et al. Seasonal and pandemic human influenza viruses attach better to human upper respiratory tract epithelium than avian influenza viruses. Am J Pathol. 2010 Apr;176(4):1614-8. Doi: 10.2353/ajpath.2010.090949.
• Shinya K, Ebina M, Yamada S, Ono M, Kasai N, Kawaoka Y. Avian flu: influenza virus receptors in the human airway. Nature. 2006 Mar 23;440(7083):435-6. Doi: 10.1038/440435a.
• Lai S, Qin Y, Cowling BJ, Ren X, Wardrop NA, Gilbert M et al. Global epidemiology of avian influenza A H5N1 virus infection in humans, 1997-2015: a systematic review of individual case data. Lancet Infect Dis. 2016 Jul;16(7):e108-e118. Doi: 10.1016/S1473-3099(16)00153-5. https://pubmed.ncbi.nlm.nih.gov/27211899/
• World Health Organization. Cumulative number of confirmed human cases for avian influenza A(H5N1) reported to WHO, 2003-2024, 3 May 2024. Accessed at: https://www.who.int/publications/m/item/cumulative-number-of-confirmed-human-cases-for-avian-influenza-a(h5n1)-reported-to-who–2003-2024-3-may-2024
• Ungchusak K, Auewarakul P, Dowell SF, Kitphati R, Auwanit W, Puthavathana P et al. Probable person-to-person transmission of avian influenza A (H5N1). N Engl J Med. 2005 Jan 27;352(4):333-40. Doi: 10.1056/NEJMoa044021. https://pubmed.ncbi.nlm.nih.gov/15668219/
• Wang H, Feng Z, Shu Y, Yu H, Zhou L, Zu R et al. Probable limited person-to-person transmission of highly pathogenic avian influenza A (H5N1) virus in China. Lancet. 2008 Apr 26;371(9622):1427-34. Doi: 10.1016/S0140-6736(08)60493-6. https://pubmed.ncbi.nlm.nih.gov/18400288/
• WHO Disease Outbreak News. 2006 – Indonesia. 31 May 2006. Accessed at: https://www.who.int/emergencies/disease-outbreak-news/item/2006_05_31-en
• World Health Organization. Human cases of avian influenza A (H5N1) in North-West Frontier Province, Pakistan, October-November 2007. Wkly Epidemiol Rec. 2008 Oct 3;83(40):359-64.
• How CDC is monitoring influenza data among people to better understand the current avian influenza A (H5N1) situation | Avian Influenza (Flu)
• Highly Pathogenic Avian Influenza A(H5N1) Virus in Animals: Interim Recommendations for Prevention, Monitoring, and Public Health Investigations | Avian Influenza (Flu) (cdc.gov)
• Case Definitions for Investigations of Human Infection with Avian Influenza A Viruses in the United States
• Recommendations for Worker Protection and Use of Personal Protective Equipment (PPE) to Reduce Exposure to Novel Influenza A Viruses Associated with Severe Disease in Humans | Avian Influenza (Flu) (cdc.gov)
• Interim Guidance on Influenza Antiviral Chemoprophylaxis of Persons Exposed to Birds with Avian Influenza A Viruses Associated with Severe Human Disease or with the Potential to Cause Severe Human Disease
• Interim Guidance on Follow-up of Close Contacts of Persons Infected with Novel Influenza A Viruses and Use of Antiviral Medications for Chemoprophylaxis
• Brief Summary for Clinicians: Evaluating and Managing Patients Exposed to Birds Infected with Avian Influenza A Viruses of Public Health Concern
• Interim Guidance on Testing and Specimen Collection for Patients with Suspected Infection with Novel Influenza A Viruses with the Potential to Cause Severe Disease in Humans
• Interim Guidance for Infection Control Within Healthcare Settings When Caring for Confirmed Cases, Probable Cases, and Cases Under Investigation for Infection with Novel Influenza A Viruses Associated with Severe Disease | Avian Influenza (Flu) (cdc.gov)
• Interim Guidance on the Use of Antiviral Medications for Treatment of Human Infections with Novel Influenza A Viruses Associated with Severe Human Disease
• Technical Report: Highly Pathogenic Avian Influenza A(H5N1) Viruses (cdc.gov) – December 29, 2023
• Technical Report: Highly Pathogenic Avian Influenza A(H5N1) Viruses (cdc.gov)  – October 27, 2023
• Technical Report: Highly Pathogenic Avian Influenza A(H5N1) Viruses (cdc.gov)  – October 5, 2023
• Technical Report: Highly Pathogenic Avian Influenza A(H5N1) Viruses (cdc.gov)  – July 7, 2023
• Addendum:  Human Infection with highly pathogenic avian influenza A(H5N1) virus in Chile (cdc.gov)  – April 17, 2023
• Technical Report: Highly Pathogenic Avian Influenza A(H5N1) Viruses (cdc.gov) – March 17, 2023
• Bird Flu Current Situation Summary | Avian Influenza (Flu) (cdc.gov)
• Novel Influenza A Virus Infections (cdc.gov) An interactive dashboard of all novel influenza A virus infections in humans reported in the United States since 2010
• Reported Human Infections with Avian Influenza A Viruses
• Past Examples of Probable Limited, Non-Sustained, Person-to-Person Spread of Avian Influenza A Viruses
• Highlights in the History of Avian Influenza (Bird Flu) Timeline – 2020-2024
• Information for People Exposed to Birds Infected with Avian Influenza Viruses
• Prevention and Antiviral Treatment of Bird Flu Viruses in People
• Recommendations for Worker Protection and Use of Personal Protective Equipment (PPE) to Reduce Exposure to Novel Influenza A Viruses Associated with Severe Disease in Humans
• CDC Health Advisory, April 29, 2022 – Highly Pathogenic Avian Influenza A(H5N1) Virus: Recommendations for Human Health Investigations and Response
• Public Health Monitoring Plan for USDA/APHIS Responders to Detections of Avian Influenza Virus in Poultry  [353 KB, 18 pages]

References to non-CDC sites are provided as a service and do not constitute or imply endorsement of these organizations or their programs by CDC or the U.S. Department of Health and Human Services. CDC is not responsible for the content of pages found at these sites. URL addresses listed were current as of the date of publication.

Descargo de responsabilidad: Es posible que en este sitio encuentre algunos enlaces que le lleven a contenido disponible sólo en inglés. Además, el contenido que se ha traducido del inglés se actualiza a menudo , lo cual puede causar la aparición temporal de algunas partes en ese idioma hasta que se termine de traducir (generalmente en 24 horas). Llame al 1-800-CDC-INFO si tiene preguntas sobre la influenza estacional, cuyas respuestas no ha encontrado en este sitio. Agradecemos su paciencia.

To receive email updates about this page, enter your email address:

• Swine/Variant
• Influenza in Animals

Exit Notification / Disclaimer Policy

• The Centers for Disease Control and Prevention (CDC) cannot attest to the accuracy of a non-federal website.
• Linking to a non-federal website does not constitute an endorsement by CDC or any of its employees of the sponsors or the information and products presented on the website.
• You will be subject to the destination website's privacy policy when you follow the link.
• CDC is not responsible for Section 508 compliance (accessibility) on other federal or private website.

The state of AI in early 2024: Gen AI adoption spikes and starts to generate value

If 2023 was the year the world discovered generative AI (gen AI) , 2024 is the year organizations truly began using—and deriving business value from—this new technology. In the latest McKinsey Global Survey  on AI, 65 percent of respondents report that their organizations are regularly using gen AI, nearly double the percentage from our previous survey just ten months ago. Respondents’ expectations for gen AI’s impact remain as high as they were last year , with three-quarters predicting that gen AI will lead to significant or disruptive change in their industries in the years ahead.

About the authors

This article is a collaborative effort by Alex Singla , Alexander Sukharevsky , Lareina Yee , and Michael Chui , with Bryce Hall , representing views from QuantumBlack, AI by McKinsey, and McKinsey Digital.

Organizations are already seeing material benefits from gen AI use, reporting both cost decreases and revenue jumps in the business units deploying the technology. The survey also provides insights into the kinds of risks presented by gen AI—most notably, inaccuracy—as well as the emerging practices of top performers to mitigate those challenges and capture value.

AI adoption surges

Interest in generative AI has also brightened the spotlight on a broader set of AI capabilities. For the past six years, AI adoption by respondents’ organizations has hovered at about 50 percent. This year, the survey finds that adoption has jumped to 72 percent (Exhibit 1). And the interest is truly global in scope. Our 2023 survey found that AI adoption did not reach 66 percent in any region; however, this year more than two-thirds of respondents in nearly every region say their organizations are using AI. 1 Organizations based in Central and South America are the exception, with 58 percent of respondents working for organizations based in Central and South America reporting AI adoption. Looking by industry, the biggest increase in adoption can be found in professional services. 2 Includes respondents working for organizations focused on human resources, legal services, management consulting, market research, R&D, tax preparation, and training.

Also, responses suggest that companies are now using AI in more parts of the business. Half of respondents say their organizations have adopted AI in two or more business functions, up from less than a third of respondents in 2023 (Exhibit 2).

Gen AI adoption is most common in the functions where it can create the most value

Most respondents now report that their organizations—and they as individuals—are using gen AI. Sixty-five percent of respondents say their organizations are regularly using gen AI in at least one business function, up from one-third last year. The average organization using gen AI is doing so in two functions, most often in marketing and sales and in product and service development—two functions in which previous research  determined that gen AI adoption could generate the most value 3 “ The economic potential of generative AI: The next productivity frontier ,” McKinsey, June 14, 2023. —as well as in IT (Exhibit 3). The biggest increase from 2023 is found in marketing and sales, where reported adoption has more than doubled. Yet across functions, only two use cases, both within marketing and sales, are reported by 15 percent or more of respondents.

Gen AI also is weaving its way into respondents’ personal lives. Compared with 2023, respondents are much more likely to be using gen AI at work and even more likely to be using gen AI both at work and in their personal lives (Exhibit 4). The survey finds upticks in gen AI use across all regions, with the largest increases in Asia–Pacific and Greater China. Respondents at the highest seniority levels, meanwhile, show larger jumps in the use of gen Al tools for work and outside of work compared with their midlevel-management peers. Looking at specific industries, respondents working in energy and materials and in professional services report the largest increase in gen AI use.

Investments in gen AI and analytical AI are beginning to create value

The latest survey also shows how different industries are budgeting for gen AI. Responses suggest that, in many industries, organizations are about equally as likely to be investing more than 5 percent of their digital budgets in gen AI as they are in nongenerative, analytical-AI solutions (Exhibit 5). Yet in most industries, larger shares of respondents report that their organizations spend more than 20 percent on analytical AI than on gen AI. Looking ahead, most respondents—67 percent—expect their organizations to invest more in AI over the next three years.

Where are those investments paying off? For the first time, our latest survey explored the value created by gen AI use by business function. The function in which the largest share of respondents report seeing cost decreases is human resources. Respondents most commonly report meaningful revenue increases (of more than 5 percent) in supply chain and inventory management (Exhibit 6). For analytical AI, respondents most often report seeing cost benefits in service operations—in line with what we found last year —as well as meaningful revenue increases from AI use in marketing and sales.

Inaccuracy: The most recognized and experienced risk of gen AI use

As businesses begin to see the benefits of gen AI, they’re also recognizing the diverse risks associated with the technology. These can range from data management risks such as data privacy, bias, or intellectual property (IP) infringement to model management risks, which tend to focus on inaccurate output or lack of explainability. A third big risk category is security and incorrect use.

Respondents to the latest survey are more likely than they were last year to say their organizations consider inaccuracy and IP infringement to be relevant to their use of gen AI, and about half continue to view cybersecurity as a risk (Exhibit 7).

Conversely, respondents are less likely than they were last year to say their organizations consider workforce and labor displacement to be relevant risks and are not increasing efforts to mitigate them.

In fact, inaccuracy— which can affect use cases across the gen AI value chain , ranging from customer journeys and summarization to coding and creative content—is the only risk that respondents are significantly more likely than last year to say their organizations are actively working to mitigate.

Some organizations have already experienced negative consequences from the use of gen AI, with 44 percent of respondents saying their organizations have experienced at least one consequence (Exhibit 8). Respondents most often report inaccuracy as a risk that has affected their organizations, followed by cybersecurity and explainability.

Our previous research has found that there are several elements of governance that can help in scaling gen AI use responsibly, yet few respondents report having these risk-related practices in place. 4 “ Implementing generative AI with speed and safety ,” McKinsey Quarterly , March 13, 2024. For example, just 18 percent say their organizations have an enterprise-wide council or board with the authority to make decisions involving responsible AI governance, and only one-third say gen AI risk awareness and risk mitigation controls are required skill sets for technical talent.

Bringing gen AI capabilities to bear

The latest survey also sought to understand how, and how quickly, organizations are deploying these new gen AI tools. We have found three archetypes for implementing gen AI solutions : takers use off-the-shelf, publicly available solutions; shapers customize those tools with proprietary data and systems; and makers develop their own foundation models from scratch. 5 “ Technology’s generational moment with generative AI: A CIO and CTO guide ,” McKinsey, July 11, 2023. Across most industries, the survey results suggest that organizations are finding off-the-shelf offerings applicable to their business needs—though many are pursuing opportunities to customize models or even develop their own (Exhibit 9). About half of reported gen AI uses within respondents’ business functions are utilizing off-the-shelf, publicly available models or tools, with little or no customization. Respondents in energy and materials, technology, and media and telecommunications are more likely to report significant customization or tuning of publicly available models or developing their own proprietary models to address specific business needs.

Respondents most often report that their organizations required one to four months from the start of a project to put gen AI into production, though the time it takes varies by business function (Exhibit 10). It also depends upon the approach for acquiring those capabilities. Not surprisingly, reported uses of highly customized or proprietary models are 1.5 times more likely than off-the-shelf, publicly available models to take five months or more to implement.

Gen AI high performers are excelling despite facing challenges

Gen AI is a new technology, and organizations are still early in the journey of pursuing its opportunities and scaling it across functions. So it’s little surprise that only a small subset of respondents (46 out of 876) report that a meaningful share of their organizations’ EBIT can be attributed to their deployment of gen AI. Still, these gen AI leaders are worth examining closely. These, after all, are the early movers, who already attribute more than 10 percent of their organizations’ EBIT to their use of gen AI. Forty-two percent of these high performers say more than 20 percent of their EBIT is attributable to their use of nongenerative, analytical AI, and they span industries and regions—though most are at organizations with less than $1 billion in annual revenue. The AI-related practices at these organizations can offer guidance to those looking to create value from gen AI adoption at their own organizations.

To start, gen AI high performers are using gen AI in more business functions—an average of three functions, while others average two. They, like other organizations, are most likely to use gen AI in marketing and sales and product or service development, but they’re much more likely than others to use gen AI solutions in risk, legal, and compliance; in strategy and corporate finance; and in supply chain and inventory management. They’re more than three times as likely as others to be using gen AI in activities ranging from processing of accounting documents and risk assessment to R&D testing and pricing and promotions. While, overall, about half of reported gen AI applications within business functions are utilizing publicly available models or tools, gen AI high performers are less likely to use those off-the-shelf options than to either implement significantly customized versions of those tools or to develop their own proprietary foundation models.

What else are these high performers doing differently? For one thing, they are paying more attention to gen-AI-related risks. Perhaps because they are further along on their journeys, they are more likely than others to say their organizations have experienced every negative consequence from gen AI we asked about, from cybersecurity and personal privacy to explainability and IP infringement. Given that, they are more likely than others to report that their organizations consider those risks, as well as regulatory compliance, environmental impacts, and political stability, to be relevant to their gen AI use, and they say they take steps to mitigate more risks than others do.

Gen AI high performers are also much more likely to say their organizations follow a set of risk-related best practices (Exhibit 11). For example, they are nearly twice as likely as others to involve the legal function and embed risk reviews early on in the development of gen AI solutions—that is, to “ shift left .” They’re also much more likely than others to employ a wide range of other best practices, from strategy-related practices to those related to scaling.

In addition to experiencing the risks of gen AI adoption, high performers have encountered other challenges that can serve as warnings to others (Exhibit 12). Seventy percent say they have experienced difficulties with data, including defining processes for data governance, developing the ability to quickly integrate data into AI models, and an insufficient amount of training data, highlighting the essential role that data play in capturing value. High performers are also more likely than others to report experiencing challenges with their operating models, such as implementing agile ways of working and effective sprint performance management.

About the research

The online survey was in the field from February 22 to March 5, 2024, and garnered responses from 1,363 participants representing the full range of regions, industries, company sizes, functional specialties, and tenures. Of those respondents, 981 said their organizations had adopted AI in at least one business function, and 878 said their organizations were regularly using gen AI in at least one function. To adjust for differences in response rates, the data are weighted by the contribution of each respondent’s nation to global GDP.

Alex Singla and Alexander Sukharevsky  are global coleaders of QuantumBlack, AI by McKinsey, and senior partners in McKinsey’s Chicago and London offices, respectively; Lareina Yee  is a senior partner in the Bay Area office, where Michael Chui , a McKinsey Global Institute partner, is a partner; and Bryce Hall  is an associate partner in the Washington, DC, office.

They wish to thank Kaitlin Noe, Larry Kanter, Mallika Jhamb, and Shinjini Srivastava for their contributions to this work.

This article was edited by Heather Hanselman, a senior editor in McKinsey’s Atlanta office.

Explore a career with us

Related articles.

Moving past gen AI’s honeymoon phase: Seven hard truths for CIOs to get from pilot to scale

A generative AI reset: Rewiring to turn potential into value in 2024

Implementing generative AI with speed and safety

• Products & Services
• Security Operations
• Threat Research
• AI Research
• Naked Security
• Sophos Life

It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024

The first Sophos Active Adversary Report of 2024 presents what the Sophos X-Ops Incident Response (IR) team has learned about the current adversary landscape from tackling security crises around the world. Our report is based on data from over 150 cases drawn from the 2023 workload of the IR team. We provide more detail on the demographics represented in this analysis at the end of the report.

As has been standard for Sophos’ Active Adversary reports, this edition incorporates data from previous years of IR casework, stretching back to the launch of our IR service in 2020. While this report will primarily focus on the analysis of cases investigated by the IR team during 2023, we will also take a longer view of the data, where applicable, to understand any meaningful changes and trends — and, sometimes, the lack thereof.

A second report, to be issued in late summer, will incorporate data from the first half of 2024 – in other words, the cases we are working on right now, and cases that have yet to occur. The eternal battle between attackers and defenders has cycles, inflection points, and currents all its own. Keeping a close eye on those rhythms even when things seem to be oh-so-quiet is key for defenders looking to understand and react.

Key takeaways

• Ransomware levels have reached homeostasis
• Timelines have stabilized
• Tooling is stagnant
• Zero days are not the real problem
• And still, defenses aren’t keeping up

Where the data comes from

For this report, the data for which as always is drawn from the cases tackled by our external-facing Incident Response team, 88% of the dataset was derived from organizations with fewer than 1000 employees. As in previous years, over half (55%) of organizations requiring our assistance have 250 employees or fewer. Twelve percent of the organizations with which IR worked in 2023 were companies with over 1000 employees, down from 19% in 2022. (For a glimpse of data drawn from the combined forces of our IR and MDR teams, but focused on the cohort of customers with 500 employees or fewer, please see our sister publication, the 2024 Sophos Threat Report .)

And what do these organizations do? For a fourth consecutive year, the manufacturing sector (25%) was the most likely to request Sophos IR services, followed by information technology (10%), retail (9%), and services (9%). In total, 26 different sectors are represented in this dataset. Further information on the data and methodology used to select cases for this report can be found in the Appendix.

Editor’s note: Since initial publication, a sentence in the section “Stats #2: To AD or not to AD: Active Directory takes the stage” has been fixed to reflect that mainstream support for Windows Server 2019 ended in January 2024.

Summary of findings

As has become the norm for most incident response-focused reports throughout the industry, ransomware maintained its dominance as the top attack type in 2023, with 70% of investigations resulting from a ransomware attack. While there was some fluctuation on a quarterly basis, ranging from 62% to 80%, we believe that this yearly average is well within the margins of what is likely ransomware’s background rate.

Attack Types

Figure 1: As in previous years, our Incident Response team conducted more investigations of ransomware cases than of any other type of attack in 2023. However, our data indicates a large number of assessments outside the dataset that conform to Sophos’ definition of business email compromise. Since just one of these assessments resulted in a full investigation, they are lightly represented in the report dataset, but the authors of this report may choose to publish findings concerning those assessments at a later date

Network breach, the perennial bridesmaid, retained its spot with a 19% occurrence rate in 2023. While we can’t be certain in all cases, there is mounting evidence that many network breaches are indeed unsuccessful ransomware attacks. For example, we positively identified five network breaches (17%) that were the work of known ransomware brands . An interesting statistic emerged when comparing network breaches to ransomware attacks by quarter: During the quarters where ransomware was at its lowest prevalence – 67% in Q2 and 62% in Q3 – network breaches were considerably above the yearly average, 21% in Q2 and 28% in Q3.

Figure 2: During 2021 and 2022, cycles in the number of ransomware cases and network breaches seemed to have mild congruence – when ransomware was up, breaches were generally up. In mid-2023, however, ransomware dropped just as breaches spiked – not as striking as the full-on reversal of “fortunes” in November 2021, but perhaps more significant

What can be deduced about this from the data itself? Hard to say with even medium confidence, but it’s possible that the set of victims during these two quarters were better prepared to detect ransomware operators and evict them before the real damage was done, or the attackers were distracted during the nicest time of the year in Sochi .

The attack types that have seen the most change in our dataset are data extortion and data exfiltration. We define data extortion as data was stolen and a payment was demanded to suppress and/or delete it . Data exfiltration omits the payment portion; the data was stolen and either exposed to the public or not. Our year-end tally saw data extortion attacks double over the previous year, with data exfiltration attacks halving. Most of the data extortion attacks we investigated were perpetrated in the first half of the year by BianLian, which switched to extortion-only attacks in January 2023.

The remaining attack types for 2023 are business email compromise, web shell, loader, and DDoS. Each accounted for less than 1% of investigated cases.

Figure 3: Known impacts of the 2023 cases; since one case may ultimately result in multiple impacts, the total is greater than our case count of 154

The outcome of attacks is the tactic (category) that the MITRE ATT&CK framework calls Impact ( TA0040 ). It should come as no surprise that the Data Encrypted for Impact ( T1486 ) technique is leading the pack: When ransomware is the number-one attack type, this will be the number-one impact. As an adjunct to encryption, many attackers perform other tasks or deploy additional payloads that can be labelled. For example, an often-observed epiphenomenon is the pairing of Inhibit System Recovery ( T1490 ) with Data Encrypted for Impact.

The next most prevalent impact was what we call “no impact.” This is tightly coupled with network breaches. There is no doubt in our minds, and we hope most will agree, that an attacker having privileged access to your network constitutes some sort of impact. And, while MITRE’s techniques cover a lot of ground, there is no discrete technique that adequately describes this phenomenon.

Notably, MITRE released an update to its framework in October 2023. One of the changes was to add the Financial Theft ( T1657 ) technique to the Impact tactic. A stated reason for these changes was for “encompassing more activities that are adjacent to, yet lead to direct network interactions or impacts.” This is a welcome addition as it allows us to properly label the outcomes of data extortion and exfiltration attacks, where previously there was none.

Which segues nicely to the next most prevalent impact: Financial Theft. The increase in this type of data extortion led to a commensurate doubling in this technique, which overtook Resource Hijacking in the 2023 ranking, while Resource Hijacking has dropped to one-third of its 2022 rate. This technique is sometimes the result of attackers using compromised systems for spam campaigns, as is the case in many SquirrelWaffle infections, but most often the technique denotes a coin miner being present on the network. (It is unclear why coin miners are in decline, other than the fact that they aren’t terribly lucrative.)

With the exception of one Network Denial of Service attack against an entity in the Education sector, the remaining techniques in our dataset were secondary impacts paired with ransomware attacks.

Attribution

Figure 4: Family distribution of ransomware cases evaluated in 2023. For the entry marked with an asterisk, the attacker installed Windows BitLocker services to both encrypt files and remove volume shadow copies. For the entries marked with two asterisks, there’s a possibility these are the same thing, as discussed below

Few threat landscape analyses are complete without an attribution discussion. While we won’t pontificate at length over who was behind many of these attacks, we can present the facts as we saw them. Naturally, the most reliable attributions come from ransomware attacks. This is because the attackers tell you which brand of ransomware was deployed on your network through file extensions (often), ransom notes (always), and data leak portals (sometimes). Like so many telemarketers, most ransomware brands exist as ransomware-as-a-service offerings, which allows criminals to represent more than one outlet.

LockBit maintains the top spot for most prolific ransomware brand of the year for the second year running, finally displacing Conti in our all-time ranking. More than one-fifth of ransomware attacks we investigated in 2023 deployed LockBit.

Figure 5: LockBit dominated the 2023 standings more strongly than any single ransomware family has since the heyday of Conti, in 2021; then as now, the second-place family represented a mere half of the leader’s total

One notable entrant in the ransomware landscape was Akira. First launched in March 2023, this up-and-coming brand placed second in our ranking, displacing other notable brands like ALPHV/BlackCat, Royal ( likely rebranded in 2023 as BlackSuit), and Black Basta. (Were we to combine Royal and BlackSuit on our chart, it would be in fourth place in the ranking.) But this level of breakaway success doesn’t necessarily mean infallibility. One of the cases we investigated as a network breach was found to be a failed Akira attack, as were cases involving ALPHV, Black Basta, Everest, and Vice Society. Had these attacks succeeded, they would have increased the ransomware share to 73%, with a proportional drop in the network breach percentage.

The top five ransomware brands were responsible for over half (55%) of all ransomware attacks, which is not surprising considering the pedigrees of some of these brands. Akira and Royal have both been linked to the Ryuk branch of ransomware families, which as many will know begat the Conti ransomware group and its many descendants. If we expand to the top 10, we find two more of Conti’s alleged progeny, Black Basta (#6) and BlackByte (#8). Of the data extortion groups, we also find that Karakurt has potential links to this prodigious branch. Even LockBit is related in a sense, because that group has been observed using some of Conti’s code after the leaks in 2022.

Figure 6: Fruits of a poisoned tree: Most modern ransomware families are related to a few “founding” entities, starting with 2016’s CryptoTech; the uncertainty re the likely renaming of Royal to BlackSuit is reflected at lower right. Source: https://github.com/cert-orangecyberdefense/ransomware_map/blob/main/OCD_WorldWatch_Ransomware-ecosystem-map.pdf , of which this diagram is just a small portion

Figure 7: A closer look from 2022 at the (somewhat inbred) Conti family. Source: https://twitter.com/VK_Intel/status/1557003350541242369/photo/1

It’s tempting to think that there’s something special about these groups, but there isn’t. Modern ransomware turned 10 years old in mid-September 2023. The reality is that many of the individuals behind these groups have been active for a while and have had plenty of time and opportunity to hone their skills. For various reasons, ransomware groups come and go, but we’ve also observed a few, namely Cuba, LockBit, Phobos, and Snatch, that have been part of our investigations since the first Active Adversary report.

Figure 8: BianLian dominated the data-extortion cases we saw; though Cl0p made plenty of headlines, its actual impact on our IR customers was vanishingly small

Of the data extortion group, BianLian led the way, followed by Cl0p, Hunters International, and Karakurt. The Hunters International attack was a failed ransomware attack, but having stolen data, they resorted to data extortion by demanding payment to suppress publication of the stolen data.

Don’t call it a comeback — I been here for years

Knowing who attacked you might offer some emotional rescue, but it really doesn’t matter — except in one scenario. If you intend to pay, it’s absolutely necessary to confer with legal counsel beforehand, in case the ransomware group in question has been designated as a sanctioned entity by your government.

In any case, many ransomware attacks, regardless of the branding on the ransom note, are perpetrated by the same individuals or groups of individuals, and they largely use the same tooling and infrastructure. What matters most in the incident-response context is how the attackers breached the organization and why they succeeded. This allows for full remediation and recovery.

Down in the Hole: Initial Access and Root Causes

Figure 9: Initial access methods, when discernible in the course of investigation, exhibited a bit of diversity in 2023. As one would expect, some cases reveal multiple plausible initial-access scenarios. Most significantly, of the 78 Valid Accounts cases we saw, in only one was Valid Accounts the primary method; in the other 77, it was a contributing factor in cases involving Remote Services

Figure 10: As for root causes, compromised credentials top the full-year charts for the first time ever in 2023

The MITRE tactic and the associated techniques that describe how an attacker managed to infiltrate the target are grouped under Initial Access ( TA0001 ), whereas Root Causes, which do not have formal ATT&CK designations, describe why that technique worked. For example, if the attackers infiltrated the network through an external remote service, such as a VPN, that would be how they got in.​ But the root cause — why that technique worked — was likely due to compromised (stolen) credentials  (in MITRE ATT&CK terminology, Valid Accounts). We would argue that in this example, both External Remote Services and Valid Accounts provided initial access, with compromised credentials acting as a root cause. While the two often line up, we still like to separate them so we can better understand how the attack succeeded, which informs remediation and defense.

As has been the case for every Active Adversary report so far , External Remote Services ( T1133 ) was the leading initial access method. In 65% of cases, some sort of remote access technology facilitated the intrusion; be that a VPN device or an exposed Remote Desktop Protocol (RDP) service, the attackers had a target of opportunity. All that remained was figuring out how to take advantage of this opportunity.

One way to exercise that opportunity is by using Valid Accounts ( T1078 ). Over three-quarters (77%) of attacks saw compromised credentials as an initial access method and over half (56%) as a root cause. In most cases, we don’t know how the accounts were compromised, but we do know that the attackers walked through the front door using a valid username and password.

It turns out that most cases in 2023 saw that pairing of initial access and compromised credentials. We noted in our previous report that compromised credentials had rocketed to the top of the Root Cause charts in the first half of 2023. Now that we have a complete dataset for 2023, we see that the trend holds, nearly doubling last year’s total.

Figure 11: The astonishing rise of compromised credentials as a root cause of attacks vaulted the (largely avoidable) problem to the top of the all-time charts as well as 2023’s

What makes this worse is the woeful state of credential hardening. In 43% of investigations, multi-factor authentication (MFA) was not configured. (As a reminder, MFA is technology that’s nearly three decades old at this point; one of the founding patents literally gives an implementation example involving two-way pagers.)

The remaining root causes for attacks involving remote services were brute force attacks (6%), unknown (3%), phishing (3%), and exploits (2%).

Considering compromised credentials’ ascendency, plain old vulnerability exploitation has therefore slipped to second place. As we have written previously, this isn’t irrefutable evidence that attackers have gone off using vulnerabilities. Maybe there weren’t as many easily exploitable vulnerabilities as there were in previous years. Or maybe initial access brokers had a lot of inventory on their hands that they wanted to get rid of cheaply.​ Whatever the case, attackers will choose the path of least resistance, and for 2023, that meant using compromised credentials.​

Beyond the top “three” (since it’s debatable how useful “unknown” as a category is to investigators, even when the contributors to the category are known), the remaining identified root causes – brute force attack, phishing, supply chain compromise, maldocs, adware, and authentication token theft – accounted for a combined 14% of findings. The Unknown category is the third most common “reason” for both initial access and root cause, and the biggest contributor in both cases was missing telemetry. Whether the logs were cleared by the attackers or worse, not configured, our investigators were unable to determine key aspects of the attack. Frankly, in 2023 compromised credentials and exploited vulnerabilities were the ball game.

Hey baby – it’s the stats, man!

With the adversary landscape in a relatively calm period at this writing, let’s take a moment to think about, as the Active Adversary report team often says, how we know what we know. To be sure we’re getting the maximum good out of all the data we offer in these reports, let’s talk about statistics and what they can show – or hide. We’ll first examine the remarkable drop in dwell times that we covered throughout 2023 to see what else we might learn from one more look at those numbers. Next, we’ll look at time-to-Active Directory, a statistic we started monitoring only last year, to see how analysis helps us see that picture as it develops. After that, we’ll examine a topic where lack of crucial data leaves researchers in an awkward position, and close this section with a look at a statistic that fell unexpectedly out of the dataset in the middle of last year and still has us asking questions.

Stats #1: Attack timelines: Time is on your side (until it’s not)

In the next report (based on 2021 data), we saw dwell time rise and attributed this to the emergence of Initial Access Brokers (IABs), which provided a buffer between the earliest compromise and the eventual attack.

Then the decline started — by a bit in 2022, then by a lot in 2023. The first quarter of 2023 (which included data through the end of 2022) was business as usual, with dwell time equaling that of the previous year. By the time we released our final report in 2023 (which included Q1-Q3 data), dwell time had halved. By the time we wrapped up the year things had stabilized. As is often the case, understanding the details is important.

Figure 12: The dwell-time numbers wobbled a bit throughout 2023, but still landed firmly below the previous median dwell time of 10 days

One reason we choose to look at dwell time (and many other measures) using its median value is to reduce the impact of outliers. For example, in 2022 we had a case with a legitimate dwell time of 955 days. If we compare this dataset with one that omits that case, the mean reduces by a little over 6 days, but the median is unaffected.

What a Difference a Case Makes

Figure 13: A single extraordinary outlier in the dataset can cause outsized distortion in the numbers, which is why we like to look at median values

Another value that we track, but don’t usually draw much attention to, is the standard deviation of a dataset. Put simply, the standard deviation measures the spread or variability of data from its mean. Using the dataset in Figure 13 as an example, we also experience a dramatic lowering of the standard deviation in dwell time, from 95.32 days to 58.11 days, when we omit the outlier. In other words, the set of values that make up the data are closer to the mean.

The problem with some outliers is that they can obscure patterns in the data. With this in mind, we examined the dwell time data for the past three years, while controlling for the outlier in 2022 as shown above:

Figure 14: Having eliminated the effect of the outlier from the 2022 data, the year-to-year trend of decreasing dwell times becomes clear

We posited in a previous report that shrinking dwell times were likely due to several factors, including increased detection capabilities, and that attackers have likely sped up in response.

In addition to shrinking median dwell time, we also observed, as we see in Figure 14, the remaining values declining despite similarly sized populations. Things get even more interesting when we separate ransomware from all other attack types:

Figure 15: Again with the 2022 outlier dismissed from the data, we see that the decrease in dwell times applies to both ransomware infections and (to a lesser extent) all other attack types

It makes intuitive sense that ransomware attackers would spend less time than other types of attackers inside networks. Today it seems some of these attackers rely less on individual payouts and more on volume. (This is apparently working out for them; according to statistics published earlier this year by Chainalysis, payouts for 2023 likely surpassed $1 billion USD.) The attacks themselves can be noisy, especially when payloads are introduced into the network. In contrast, web shell implants and coin miners are meant to be stealthy and persistent.

Measuring dwell time and commenting on its meaning has been a fixture of this report since its inception. We’ve included it here for completeness, but like many aspects of the threat landscape and attacker behavior, we think dwell time has reached stasis. It is unlikely that these dwell time values will change dramatically in the short term. Like ransomware prevalence, there might be some variability from year to year, but the overall trend will remain stable, and it will of course never reach zero.

Dwell time is a lagging indicator. It can only be calculated after the intruders have been discovered. One way to shrink dwell time is to detect intrusions sooner, and there are other time-based indicators that can help defenders spot suspicious activity in the network – if, of course, you’re watching for that sort of thing.

Stats #2: To AD or not to AD: Active Directory takes the stage

Where available, we also recorded the operating system version of affected AD servers. This can be significant since Microsoft steadily improves the baseline security of AD over subsequent releases. We found that 90% of AD servers were running Windows Server 2019 – which exited mainstream support in January 2024 – or earlier versions. (The case dataset included three deployments of Windows Server 2008.) We further noted that 79% of AD servers were protected only with Windows Defender, and at least two servers had no protection whatsoever.

Sometimes, as all researchers will tell you, what looks interesting in a smaller dataset gets overturned by examining a larger one. Since no good deed goes unpunished, we went back to collect the time-to-AD data from the 152 cases investigated in 2022 so we could understand the bigger picture and compare the values. As it was for dwell time, the 2022 median time-to-AD was 1.34 days — more than double the median for 2023. The earliest time-to-AD was -208.29 days (yes, a negative number; in that case, the customer experienced an AD compromise that long predated other artifacts related to their network breach) and the longest was 140.64 days. In 2022, 98% of AD installations were Windows Server 2019 or earlier, and 69% were protected with Windows Defender.

Armed with the knowledge that some attackers are making a mad dash for Active Directory servers, we must be prepared to detect them post-haste. Part of that preparation includes having the right solutions in place to detect suspicious activity, the people available to investigate suspicious signals, and the necessary telemetry to determine what happened.

Moving past the necessary grind of statistics, we turn our attention now to…

Stats #3: Exfiltration (you don’t know what it’s got ‘til it’s gone)

Data theft is another opportunity for detecting an intruder. When faced with data exfiltration or data extortion, time has already run out. However, when facing a ransomware attack, there is still an opportunity to detect the intruders and evict them from the network before they proceed to the final act.

All-cause data exfiltration occurred at roughly the same rate in 2023 as it did in 2022. We could confirm exfiltration in 40% of cases; a further 14% had indications of possible exfiltration or of data staging (an activity one would expect to see in the course of an exfiltration attempt). The previous year saw 43% confirmed exfiltrations with an additional 9% determined as possible data theft.

Another area where missing logs hampers investigations is in determining whether exfiltration has occurred. In 42% of cases, incident responders were unable to determine from the available evidence whether any exfiltration had occurred. This was largely due to there being no evidence available for responders to confirm or deny whether exfiltration happened. Breaking it down further, of the 55 cases lacking sufficient evidence, 29 cases (53%) were missing logs and an additional 6 cases (11%) had logs erased by the attackers.

For ransomware attacks we could confirm data exfiltration in 44% of cases, with an additional 18% showing possible data exfiltration or data staging. Unfortunately, we were unable to determine if data was stolen in 30% of cases. Of those cases, 69% were hampered by missing logs, with 56% due to missing logs and 13% due to cleared logs.

Alarmingly, 72% of network breach investigations found no evidence of data exfiltration. More than half of the missing evidence was due to missing (43%) or deleted (14%) logs.

There is an inverse relationship between time-to-AD and data theft. Where attackers rush to get access to AD, the data exfiltration component of a ransomware attack appears to come at the end of the campaign. For example, in the 2023 data, the median time between the start of the attack and the deployment of a ransomware payload in a confirmed exfiltration was 3.76 days. In contrast, the time between exfiltration and deployment was 0.6 days.

As with time-to-AD, this metric is only useful if an organization has the necessary elements in place to detect and respond to a data exfiltration event. If exfiltration is the ultimate goal of the attackers, the organization can quickly determine their exposure and begin the process of notifying regulators and other stakeholders. As governments around the world increase their rules and regulations concerning data breaches, victim organizations will need to respond in kind. If the exfiltration event is a precursor to a ransomware attack, detecting a data exfiltration event could mean the difference between a bad day at the office and a very bad day in the news.

Stats #4: Ransomware’s night moves

One of the most surprising results from our data analysis for the mid-year report in 2023 was a strong pattern in the local time of day when ransomware was deployed. For that report, the dataset included all cases from the first half of 2023. Analysis showed that 91% of ransomware payloads were deployed outside of traditional business hours. As we did for time-to-AD, we eagerly awaited the full-year data to see if the results would be upheld by a bigger dataset, since (as noted above) larger datasets often expose biases in data and effects can get watered down. While we waited, we re-examined the data and corrected for countries where business days are not traditionally Monday to Friday. (The original analysis assumed the “workweek” to be five standard working days of 8am to 6pm, Monday through Friday; the “weekend” was held to be the period between 6pm on Friday and 12am on Monday.)

While there was a small correction applied by doubling the dataset, we found that 90% of ransomware deployments were deployed outside of business hours in 2023. A total of 11 attacks were launched during local business hours in the workweek.

Since we were already re-analyzing cases for time-to-AD, we also attempted to capture the ransomware deployment time for 2022. What we found was that 94% of ransomware deployments occurred outside of business hours. Only six cases fell within office time.

While we won’t consider these results definitive – we don’t have visibility into every ransomware attack – we can pronounce with high confidence that ransomware deployments are most prevalent outside of traditional business hours. When looking at both 2022 and 2023, 92% of ransomware attacks support this finding.

One thing we can conclude by analyzing attacker timelines is that time can be on our side during an attack. Despite shrinking dwell times, defenders still have a median 6 days to detect an intruder. However, these times change dramatically when a motivated actor strikes. In the case of ransomware in 2023, the median time shrinks to 5 days, versus 10 days for all other attack types.

In addition, there are signs along the way that can alert defenders to a potential danger lurking in the network. Immediately detecting an intruder on an Active Directory server can mean stopping an attack in less than 24 hours. Spotting a data exfiltration event can prevent an even more devastating outcome.

We know that through years of practice many ransomware criminals have honed their skills. But this is not a one-way battle. Defenders can also sharpen their skills by practicing response playbooks – and, as this section has shown, by the true understanding of what the statistics are saying.

Same as it ever was: Artifacts, LOLBins, and other findings

Turning our attention from the statistics to the usual examination of tools and tactics, techniques, and procedures (TTPs), analyzing this year’s crop evokes strong feelings of déjà vu. We observed the same items in each top five, albeit in slightly different orders, year-on-year. It’s not until we look past the top ten that we start seeing variability. Nowhere is this stasis more apparent than in the tools used and abused by attackers in the past three years. In both the detected tools and Microsoft binaries, the top ten are nearly identical. It’s almost as if the attackers aren’t being challenged and can simply re-use the same tools and TTPs ad infinitum.

Figure 16: SoftPerfect Network Scanner leads the list of artifacts spotted in 2023 IR cases, displacing Cobalt Strike from the perch it has held since the start of the Active Adversary Report series; however, Cobalt Strike still leads the all-time occurrence list

Despite the top tools being similar year-on-year, there is one trend that might signal a change in attacker behavior. Cobalt Strike, the longstanding leader, has seen its share decline steadily in the past three years. While it still maintains the top spot in the all-time rankings by absolute count, the percentage of attacks using a Cobalt Strike payload has declined significantly; in the period from 2021 to 2023, the share of Cobalt Strike has gone from 48% to 27%. A potential reason for this is that Cobalt Strike has been so heavily abused that we have become very adept at detecting and blocking it.

The overall leader this year was SoftPerfect’s Network Scanner, which is routinely abused by attackers to map out networks and discover potential targets. We’ve seen abuse of this software for many years and its utility hasn’t gone unnoticed by the attackers. Another frequently abused, albeit legitimate, application is AnyDesk, the popular tool for administrators to manage their endpoints.

One interesting element of the top 10 is that 50% of the tools facilitate data exfiltration. Both 7zip and WinRAR (again, tools with legitimate uses, but abused by attackers) are routinely used to create archives that enable and potentially obfuscate data theft, while the others enable the collection and transfer of said archives. Unfortunately, many organizations still don’t have a firm enough grasp on what normal looks like, so they miss large transfers of data leaving their network. (As an example, the MEGA cloud storage service is all too often abused by data exfiltrators; if you have traffic either coming from or going to MEGA and you have no pre-existing business relationship with the company, that’s worth investigating .)

An interesting side note is the incidence of the tool Impacket in our dataset. As described by the maintainer of the project: “Impacket is a collection of Python classes for working with network protocols.” As this is a collection of tools, we record their individual use (e.g. Impacket/atexec, Impacket/secretsdump, Impacket/smbproxy, etc.) to better understand how each is used in an attack. However, if we roll all the individual tools into one “Impacket” data point, a significant result emerges. All uses of Impacket in 2023, counted together, would rank sixth in the artifacts list.

With few exceptions, most of the tools in this category are prime candidates for monitoring and blocking.

Figure 17: RDP continues to rule the MS-LOLBin roost, with PowerShell the constant runner-up

Remote Desktop Protocol (RDP) is once again the most abused of all the Microsoft LOLBins (living-off-the-land binaries). We won’t spend much time discussing RDP in this report – instead, please see our special supplemental coverage , which goes into both statistics and recommendations for dealing with the protocol — but we do think it’s on track for a lifetime achievement award. RDP abuse has reached new heights, with 90% of attacks using it for internal lateral movement and 20% for external remote access. As for the 18% of organizations who still have RDP exposed to the internet, you should ask yourself, “My God, what have I done?” (To find out how that has worked out for one Sophos customer, keep reading; this report’s Case Study section is just ahead.) At publication time, there were approximately 4 million exposed RDP systems on the internet.

Figure 18: In 2023, nine out of ten attacks handled by our IR team included evidence of RDP abuse

Setting RDP aside, PowerShell continues to power many attacks due to its ubiquity, privilege, flexibility, and usefulness. It is difficult to argue for its removal from networks; therefore, the only option is to strictly monitor and control it. Strategies for using PowerShell safely and securely include (but are not limited to): logging all PowerShell activity, applying the principle of least privilege to which accounts can run scripts, running the latest version, and enabling constrained language mode.

The rest of the binaries in this list are used for various purposes, including execution, persistence, defense evasion, discovery, and lateral movement. Having visibility into all your devices and the capacity to act when necessary is a requirement for today’s defenders.

Figure 19: A traditionally more volatile category than either Artifacts or LOLBins, the catchall Other category has been led for two years now by Valid Accounts; it was preceded in 2020 and 2021 by Malicious Scripts

The techniques and other indicators that we observed this past year are also very much standard operating procedure for many attacks. This section of our findings data is usually where we see the most variability. For example, we use this category to track specific exploits that are being used in the wild, and those often change from year to year, but those mostly make up the long (>200) tail of this dataset. Front and center are techniques and observations that contribute to the fog of war that surrounds many investigations.

A few words about missing and cleared logs, a topic we’ll tackle more fully in a later Active Adversary publication: Attackers have become adept at disabling protection and clearing their tracks. This concerted effort to blind defenders is usually in the service of remaining undetected. However, there are unintended consequences to disabling protection that can be to a defender’s advantage. A telemetry signal going dark should be a beacon that something is happening in the environment which requires immediate attention.

Never mind attackers trying to blind us; in many cases we’re blinding ourselves.

In 2023 we started capturing the incidence of missing telemetry, since the data showed that this was the case in 54% of attacks we investigated. What was most surprising was how prevalent this new metric turned out to be: In its first year of AAR scrutiny, it cracked the top 10 in our all-time ranking. While there were several reasons why the logs were unavailable, in most cases it was because organizations hadn’t taken the necessary steps to ensure they would be there when it mattered most.

And, as if the overwhelming amount of credential compromise wasn’t enough, 43% of organizations had neglected to enable MFA on their external services. There is no other way to put this: When a solution exists that can stop an attacker in their tracks, and it is not implemented, it is willful negligence.  In the final section of our report, we’ll look at how that worked out for a specific MDR customer.

Case study: You got another thing comin’ (and another and another and)

Over and over in the Active Adversary report series, we’ve repeated three fundamental security principles – basic hygiene for defenders. Here they are again in large-print haiku form:

Close exposed RDP ports,

Use mfa, and, patch vulnerable servers..

Why do we keep hammering away at this? Because these three security tenets still aren’t universally adopted, and we see the results.  One particular MDR customer last year learned this the hard way, falling victim to compromise four times within a six-month period. With business requirements preventing the customer from addressing the root cause, the attacker gained initial access through the same vector each time – brute force attacks against exposed RDP ports. We’ve changed some of the details to protect the customer’s identity, but we offer a year in the life of their story to encourage our readers to avoid this fate by prioritizing basic security hygiene.

December 2022 (prologue): Initial access occurred via successful brute force attacks against multiple exposed RDP ports. The attacker leveraged multiple PowerSploit modules and Rubeus tooling to compromise authentication, before dropping a number of malicious binaries and downloading an EDR-killer tool. Sophos MDR’s response actions quickly contained the threat. However, the customer declined the MDR recommendation to restrict access to exposed RDP ports, citing business needs.

Recommendations: After this case, MDR recommended the customer close various RDP ports exposed to the internet; the customer declined, citing business needs. (A recommendation for domain-wide credential reset was not addressed; a patching recommendation was likewise unaddressed.)

Summer 2023: Initial access was again achieved through successful brute force attacks against exposed RDP ports. The attacker then created and leveraged the open-source PAExec tool to run Nltest commands to enumerate domain controllers within the estate. Following enumeration, the attacker moved laterally and modified registry values to enable Remote Desktop connections, allow unsolicited remote assistance requests, and disable Network Layer Authentication for RDP.

Recommendations: After this case, MDR reiterated the earlier recommendation that the customer close the exposed RDP ports, and also recommended that the customer enable multifactor authentication, especially if the RDP ports were still required to be exposed. The client again declined the port recommendation and stated that MFA options were under business review.

Through December 2023: About five months later, a welter of attacks hit at approximately two-week intervals, each triggering a fresh round of response engagements. Initial access each time was achieved by brute force against exposed RDP. Once again, following initial access, the attackers performed enumeration, moved laterally and modified registry settings to reduce restrictions on RDP access. Response actions were taken swiftly; however, investigators found a publicly exposed employee web portal with no MFA. Meanwhile, six ports first identified a year earlier were still exposed to the internet. Despite MDR’s persistent recommendations, internal business requirements continued to prevent the customer from implementing the appropriate security measures, leaving them vulnerable to ongoing targeting by threat actors using brute force attacks.

January 2024: Two weeks later, the customer greeted the new year with another attack via the same open ports. The timeframe of this report ends here, but in all likelihood the attacks on the customer did not. The customer’s business requirements do not allow them to restrict access to exposed RDP, nor have they enabled MFA; under those circumstances, there’s not much barrier to wave upon wave of further attacks, nor much further advice incident responders can offer them.

Risk acceptance is up to every organization individually; there is no one-size-fits-all for risk management. However, when the risk as accepted leaves you continually fighting fires in all directions, it’s probably time to reassess.  No matter how much the rest of your defenses are tightened, without following basic security principles, the organization will persistently be left defending against threat actors whose initial access could have been stopped at the first hurdle.

Looking back on 2023’s data we are left with a feeling that not enough is being done to protect organizations from harm. Sure, some businesses may have the necessary protections in place, but no one is paying attention. Often, the sole differences between organizations that are breached and ones that aren’t are 1) the preparation entailed by selecting and putting the proper tools in place and 2) the knowledge and readiness to act when required.

Ransomware attacks have reached a stasis point with respect to prevalence, tooling, and timelines. Unfortunately, we are also still seeing the same mistakes being made by defenders every year. It’s with this in mind that we think organizations need to urgently participate in their own rescue. No industry, product, or paradigm is perfect, but we’re still fighting yesterday’s battles with, too often, the day before yesterday’s weaponry. Most of the tools and techniques described in this report have solutions, or at the very least, mitigations to limit their harm, but defenses are simply not keeping up.

Stolen credentials and unpatched systems should be a statistic from a bygone era. Unprotected systems, overprivileged users, and uncontrolled applications are problems that have solutions. Missing telemetry may not be entirely the fault of the victims (determined attackers will continue to make defenders’ work harder by interfering with that), but insufficient logging, or no logging at all, is an unintended oversight at best and a deliberate failure to act at worst. These are all unforced errors, and they must stop now.

A retrospective analysis such as this, especially during a relatively quiet moment in the struggle, is an opportunity to learn from previous mistakes. It can be tempting to look at our failings and get angry that we aren’t progressing like we should. We say: Don’t look back in anger — look forward to how you can make positive change today for a better tomorrow.

Acknowledgements

MDR’s Hilary Wood co-authored this report’s case study (“You got another thing comin’ [and another and another]”); Lee Kirkpatrick contributed the Active Adversary Special Report on RDP (“ Remote Desktop Protocol: The Series ”) to which this report makes extensive reference. The authors wish to thank Chester Wisniewski for his insights during the analysis process. Figure 6 was excerpted with thanks from work released in 2023 by World Watch – Global CERT – Orange Cyberdefense . Special acknowledgement for Figure 7, which is the work of the late Vitali Kremez . He is greatly missed.

Appendix: Demographics and methodology

As we put together this report, we chose to narrow our focus to 154 cases that could be meaningfully parsed for useful information on the state of the adversary landscape as of the end of 2023. Protecting the confidential relationship between Sophos and our customers is of course our first priority, and the data you see here has been vetted at multiple stages during this process to ensure that no single customer is identifiable through this data – and that no single customer’s data skews the aggregate inappropriately. When in doubt about a specific case, we excluded that customer’s data from the dataset.

Figure A1: Around the globe and up your street, it’s the Sophos X-Ops IR team

The full list of nations and other locations represented in the 2023 report data is as follows:

The full list of industries represented in the 2023 data for this report is as follows:

Methodology

The data in this report was captured over the course of individual investigations undertaken by Sophos’ X-Ops Incident Response team. For this initial report of 2024, we gathered case information on all investigations undertaken by the team in 2023 and normalized it across 43 fields, examining each case to ensure that the data available was appropriate in detail and scope for aggregate reporting as defined by the focus of the proposed report.

When data was unclear or unavailable, the authors worked with individual IR case leads to clear up questions or confusion. Incidents that could not be clarified sufficiently for the purpose of the report, or about which we concluded that inclusion risked exposure or other potential harm to the Sophos-client relationship, were set aside. We then examined each remaining case’s timeline to gain further clarity on such matters as initial ingress, dwell time, exfiltration, and so forth. We retained 154 cases, and those are the foundation of the report.

• Share on Facebook
• Share on LinkedIn

John Shier is a Field CTO at Sophos. John is a popular presenter at security events, and is well-known for the clarity of his advice, even on the most complex security topics. John doesn't just talk the talk: he also gives hands-on technical support and product education to Sophos partners and customers.

Angela Gunn

Angela Gunn is a senior threat researcher in Sophos X-Ops. As a journalist and columnist for two decades, her outlets included USA Today, PC Magazine, Computerworld, and Yahoo Internet Life. Since morphing into a full-time technologist, she has focused on incident response, privacy, threat modeling, GRC, OSINT, and security training at companies including Microsoft, HPE, BAE AI, and SilverSky.

Read Similar Articles

What to expect when you’ve been hit with avaddon ransomware, what’s new in sophos edr 4.0, sophos xdr: driven by data, leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.