Microsoft Confidential

Big Data and Cybersecurity Microsoft Digital Crimes Unit

Cristina Metea Microsoft Romania 10 June 2016

Microsoft Confidential

Cybersecurity is a Boardroom-level Issue

160M Data records compromised

from top 8 breaches in 2015

556M victims of cybercrime

per year

$400B cost of cyberattacks to

companies each year

71% of companies admit they

fell victim to a successful

cyber attack the prior year

$3 Trillion estimated cost in economic

value from cybercrime

industry by 2020

140+ Median # of days between

infiltration and detection

Microsoft Confidential

MICROSOFT’S UNIQUE PERSPECTIVE

300B user authentications each month

1B Windows devices updated

200B emails analyzed for spam and malware

Microsoft Confidential

A Layered Approach to Security

Helping to protect our customers, our company, and our world

These growing threats demand a coordinated response:

• Cyber Security Services Engineering

• Digital Crimes Unit

• Information Security & Risk Management

• Microsoft Azure

• Microsoft Security Response Center

• Microsoft Threat Intelligence Center

• Office 365

• Windows & Devices Group

Cyber Defense Operations Center

Microsoft Confidential

A safer digital experience for

every person and organization

on the planet

The Microsoft Digital Crimes Unit

Public and private partnerships to fight

technology facilitated crimes

.

Combining novel legal strategies, cutting-

edge forensics, cloud and big data

analytics

Microsoft Confidential

Malware

Disruptions DCU acquires targets,

investigates, and orchestrates

global partnerships to take

action Working with Law Enforcement and others to disrupt the criminal infrastructure

Our malware intelligence is

embedded into Microsoft’s

products and services

We enable CERTs/ISPs globally

to notify and remediate

Microsoft Confidential

Public and Private Partnerships

Public - private cooperation lead to international malware

disruptions

Driving scale and impact

OPERATION Conficker

Botnet Takedowns and Malware Disruption Operations OPERATION

Waledac OPERATION

Rustock OPERATION

Kelihos OPERATION

Zeus OPERATION

Nitol OPERATION

Bamital OPERATION

Citadel OPERATION

Sirefef

OPERATION Game over

Zeus

OPERATION Bladabindi &

Jenxcus

OPERATION Simda

OPERATION Ramnit

OPERATION Caphaw

OPERATION Dorkbot

Feb 2010 First MS takedown operation, proving the model of industry-led efforts Disconnected70,000-90,000 infected devices from the botnet Botnet Worm sending SPAM,

March 2011 Supported by stakeholders across industry sectors Involved US and Dutch law enforcement, and CN-CERT SPAM, in average 192 spam messages per compromised machine per minute

Sep 2011 Partnership between Microsoft and security software vendors First operation with named defendant SPAM, Bitcoin Mining, DDoS attacks

March 2012 Cross-sector partnership with financial services Focused on disruption because of technical complexity Identity Theft / Financial Fraud

Sep 2012 Nitol was introduced in the supply chain relied on by Chinese consumers settled with operator of malicious domain Malware Spreading, DDoS attacks

Feb 2013 Bamital hijacked people’s search results, took victims to dangerous sites Takedown in collaboration with Symantec, proactive notification and cleanup process Advertising Click Fraud

June 2013 Citadel committed online financial fraud responsible for more than $500Min losses Coordinated disruption with public-private sector Identity Theft / Financial Fraud

Dec 2013 ZeroAccess hijacked search results, taking victims to dangerous sites It cost online advertisers upwards of $2.7 million each month Advertising Click Fraud

June 2014 Malware using Dynamic DNS for command. It involved password and identity theft, webcam, etc. Over 200 different types of malware impacted. Identity Theft / Financial Fraud / Privacy Invasion

June 2014 GameoverZeus (GOZ) was a banking Trojan Worked in partnership with LE providing Technical Remediation Identity Theft / Financial Fraud

July 2014 Caphaw was focused on online financial fraud responsible for more than $250M in losses Coordinated disruption with public-private sector Identity Theft / Financial Fraud

Feb 2010 Microsoft-lead model of industry-wide efforts to counter the threat Botnet Worm sending SPAM and attempting to steal confidential data and passwords

Feb 2015 Module-based malware, stealing credential information from banking websites. Configured to hide itself. Credential Information Theft/Disabling Security Defenses

April 2015

Theft of personal information, including banking passwords, as well as installing and spreading other malicious malware.

Theft personal data/Install and spread other malware

December 2015

Used for Cybercriminal activities such as credential harvesting for financial fraud DDoS attacks and the downloading of malicious payloads.

Financial Fraud, DDoS Attacks

Microsoft Confidential

Actionable Intelligence from Malware Disruptions

Dorkbot 61 424

Used for cyber criminal

activities such as credential

harvesting for financial fraud,

DDoS attacks, and the

downloading of malicious

payloads. Disrupted in

cooperation with FBI and

international law

enforcement.

June 2014

Malware using Dynamic DNS

for command. It involved

password and identity theft,

webcam and other privacy

invasions.

Over 200 different types of

malware impacted by the take

down.

Identity Theft /

Financial Fraud /

Privacy Invasion

Bladabindi & Jenxcus

66 430

Conficker 84 452

February 2010

Botnet Worm

Ramnit 79 810

Feb 2015

Credential Information

Theft/Disable Security

Defenses

Most Common Malware Threats in Romania, 1-31 March 2016

Microsoft Confidential

Strategic Enforcement

“Criminal target 1”

Identifying criminal activity by building a smart detection system that uses Machine Learning

Abuse in the Reseller Channel Using known criminal data model to identify similar crimes

0

0,2

0,4

0,6

0,8

1

050

100150200250300350400450

0-1

00

10

0-2

00

20

0-3

00

30

0-4

00

40

0-5

00

50

0-6

00

60

0-7

00

70

0-8

00

80

0-9

00

90

0-1

00

0

10

00

-11

00

11

00

-12

00

12

00

-13

00

13

00

-14

00

14

00

-15

00

15

00

-16

00

16

00

-17

00

17

00

-18

00

18

00

-19

00

19

00

-20

00

20

00

-21

00

22

00

-23

00

25

00

-26

00

26

00

-27

00

30

00

-31

00

37

00

-38

00

44

00

-45

00

Average distance between customer address and activation location in miles

Number of Resellers % of resellers

Criminal target 2

Criminal target 3

Criminal target 4 Criminal target 5

Microsoft Confidential

The Microsoft SECURITY PLATFORM

Microsoft Confidential

Microsoft is committed to building trust with governments and sharing security information

Government Security

Program objectives

Help protect

governments and their

citizens

Build trust and

transparency

Strengthen public-

private partnerships

Direct access to Microsoft

product and security resources

Access to Transparency Centers

to work with source code

Remote access to online source

code

Technical data, including

Microsoft Azure and O365

Information sharing about

threats and vulnerabilities

leveraging CTIP

Microsoft Confidential

Protect Your Environment

Best practices

Invest in your platform Invest in your

instrumentation

Invest in your people

Maintain a well-

documented inventory of

your assets

Acquire/build the tools

needed to fully monitor

your network, hosts, and

logs

Establish relationships and

communication between

incident response team

and other groups

Define your security policy

with clear

standards and guidance

Proactively maintain

controls and measures,

and regularly test them for

accuracy and effectiveness

Adopt least privilege

admin principles; eliminate

persistent

admin rights

Use proper hygiene—

most attacks can be

prevented with timely

patches and antivirus

Maintain tight control over

change

management policies

Use the lessons learned to

gain value from every

major incident

Employ multi-factor

authentication to

strengthen protection of

accounts and devices

Monitor for abnormal

account and credential

activity to prevent abuse

Educate, empower, and

enlist users to recognize

likely threats and their

role in protecting business

data

www.microsoft.com/sir www.microsoft.com/sdl www.microsoft.com/twc blogs.technet.com/security www.microsoft.com/ trustedcloud