MicrosoftDigital Defense Report

CalChamber Cybersecurity WebinarJJ JonesSenior Corporate Counsel

OCTOBER 2021

Microsoft security signalsVolume and diversity of signals processed by Microsoft

Over 150 report contributors across these focus areas:

The state of cybercrime

Nation state threats

Supply chain, IOT, and OT security

Hybrid workforce security

Disinformation Actionable insights

THE MICROSOFT DIGITAL DEFENSE REPORT DRAWS ON INSIGHTS, DATA, AND SIGNALS FROM ACROSS MICROSOFT, INCLUDING THE CLOUD, ENDPOINTS, AND THE INTELLIGENT EDGE.

The growing threat of cybercrime• A threat to national security• Cybercriminals attacking all sectors• Ransomware attacks increasingly successful• Cybercrime supply chain continues to mature

POSITIVE TRENDS• Transparency: governments and

companies coming forward• Priority: new laws, task forces,

resources, partnerships

The cybercrime economy and services

WITH NO TECHNICAL KNOWLEDGE OF HOW TO CONDUCT A CYBERCRIME ATTACK, AN AMATEUR THREAT ACTOR CAN PURCHASE A RANGE OF SERVICES TO CONDUCT THEIR ATTACKS WITH ONE CLICK.

What we’re seeing in ransomware data and signalsRansomware encounter rate (machine count): Enterprise customers (Defender data)

Overall increase in ransomware encounters, with notable surge to consumer and commercial encounters in late 2019,6 when RaaS started to grow, and in early 2020 at the onset of the COVID-19 pandemic.

DART ransomware engagements by industry (July 2020-June 2021)

Deploy ransomware protection

The stakes have changed. There is a massive growth trajectory for ransomware and extortion.

Moving toward a hybrid workforce at MicrosoftGlobal pre-COVID onsite work and the rapid move to remote work, followed by gradual return

Global weekly unique badge scans (January – August 2021)

Zero Trust across the digital estateVISIBILITYAUTOMATIONORCHESTRATION

The basics matterLOOKING BACK AT THIS YEAR:

Email compromise is a continuing threat vector. Cybercriminals use malware posed as a legitimate software

update to target unsuspecting employees. Adversaries for organizations are targeting on-premises

systems, reinforcing the need to move infrastructure to the cloud where security is more difficult to penetrate.

Key takeaway: If compromised organizations had applied basic security hygiene like patching, applying updates, or turning on MFA, they may have been spared or less impacted.

ORGANIZATIONS THAT DO NOT APPLY OR MAINTAIN THESE BASIC HYGIENE PRACTICES WILL FACE MUCH GREATER EXPOSURE TO ATTACKS.

Disinformation as an emerging threat

Widely used consumer platforms and services, now provide state and non-state actors with powerful channels for distributing disinformation.

Mapping the problem

These methods are injecting new powers of persuasion into disinformation campaigns.

Disinformation as an enterprise disruptor• Disinformation has made its way into enterprise

workflows that are dependent on data collection, aggregation, and distribution practices.

• Enterprise signals and data could be compromised through security vulnerabilities or attacks and infused with disinformation.

• Situational intelligence could be supplanted with disinformation or nuanced in ways to generate bias or create doubt in the minds of decision makers.

Four-point plan for enterprise executives

1. Catalog enterprise exposures to disruption, manipulation, and disinformation.

2. Assess the impact of manipulation or disinformation.

3. Quantify the consequences of disruption.4. Assess privacy implications of disruption.

CHAPTER 3

Nation state threatsTracking nation state threats

What we’re seeing

Analysis of nation state activity this year

Private sector offensive actors

Comprehensive protections required

NATION STATE ACTORS TRY TO MEET GOVERNMENT OBJECTIVES –SURVEILLANCE, INFORMATION COLLECTION, DESTRUCTION, AND OTHER ACTIONS.

Key themes and takeaways•Despite the world’s attention on attacks coming from Russia and China, they continue to pursue intelligence objectives.

•Digital transformation and the cloud are key to combatting nation state attackers – fighting on premises attacks is hand to hand combat.

•Government leadership and partnership is continuing to grow, showing important progress.

LOOKING BACK AT NATION STATES THIS YEAR:

Attackers increase use of deception to pursue national objectives

• Focused efforts on exposing security vulnerabilities in the supply chain.• Targeted government agencies, IGOs, NGOs, and think tanks for espionage or surveillance.

• Increased reliance on remote work infrastructure gave malicious actors new vectors to target private networks.

NATION STATE ACTORS APPEAR TO BE INCREASING THE SCALE AND VOLUME OF ATTACKS TO EVADE DETECTION.

Countering nation state activity5-PRONGED APPROACH

Tracking and reporting nation state threats

•Nation state notifications (NSNs) are sent to customers and individuals targeted or compromised

•Data in the Nation State chapter is based on NSNs sent• Information comes from Microsoft cloud services

Empower customers

Leverage technology

Take technical action against malicious operations

Pursue legal action: Digital Crimes Unit

Inform public disclosure and policy

A sample of what we’re seeing globallyJuly 2020-June 2021

Most targeted countries Most targeted sectors Most active nation state activity groups

Russia analysis: Activity and motivations NOBELIUM and abuse of supply chain and other trusted technical relationships A range of techniques to evade detection and attribution Higher rates of compromise achieved and more government organizations targeted Seeking intelligence on the United States and Europe

China analysis: Activity and motivations HAFNIUM and the Exchange vulnerabilities More 0-days and other exploitation of vulnerabilities Worldwide intelligence collection operation

China (continued)

China: Top five targeted industries/sectors China: Target attempts vs successful compromise

HAFNIUM: Top targeted industries/verticals (Prior to the increase in Exchange Server exploitation)

July 2020-June 2021

The most prevalent targets of China-based threat activity were government entities worldwide. The targeting of three countries’ government entities accounted for half of the NSNs issued and 23 countries accounted for the remaining half.

Chinese nation state threat actors were successful in compromising victims 44% of the time. However, because they are an advanced persistent threat, if they are tasked to target an entity for intelligence collection, they will find another vulnerability to leverage to gain access.

In early March 2021, Microsoft blogged about HAFNIUM for the first time related to the detection of multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server. HAFNIUM, based on observed victimology, tactics, and procedures, primarily targets entities in the United States across a number of industry sectors.

Iran analysis: Activity and motivations

Focused on Israel with new attack tools amid broader escalation A wait-and-see approach toward the United

States likely serves two purposes

Iran: Most targeted countries (July 2020–June 2021)

Iran: Flow of a typical PHOSPHORUS compromise from spear phish

Conferences, conventions, and trade shows are widely known throughout industry and the US government as a hotbed of intelligence collection activities, both by domestic competitive intelligence and foreign adversaries.

North Korea analysis: Activity and motivations Vast appetite for intelligence New type of cyberattack created in global pandemic Nation state Bitcoin theft Sophisticated social engineering targeting security researchers

Vietnam

Turkey

• BISMUTH utilized cryptocurrency miners to target private sector and government institutions in France and Vietnam.

• Carefully planned attacks, conducting reconnaissance before creating uniquely crafted spear-phishing emails.

• Once it compromised networks, BISMUTH sought to achieve continuous monitoring.

• SILICON pursues intelligence collection for strategic Turkish interests from a variety of countries, primarily in the Middle East and the Balkans.

• Reconnaissance indicates heavy focus on countries of strategic interest to Turkey including Armenia, Cyprus, Greece, Iraq, and Syria.

• Regularly target telecommunication and IT companies, likely to establish a foothold upstream of their desired target.

Additional Information

Defending against nation state threats

Protect your organization, protect yourself

Protect your Digital Estate Multi-factor authentication Defense in depth strategies Monitoring and logging Patch! Credential hygiene Assume breach Asset inventory Educate employees Repeat

Protect your Digital Person Strong passwords Multi-factor authentication Patch everything Use VPN services when mobile Change default passwords in

IOT or other devices you use Every quarter: Back up your personal data Check your account recovery information Ensure mail forwarding is disabled

Use an Authentication App Multifactor Authentication is essential to your personal security

Use a VPN Service on your phone

Sets a secure connection from the network you are on to a network you’re trying to reach

Look for a well-known VPN provider that respects security

Helps protect your personal communications on mobile devices Very important when traveling

Mail Forwarding Rules – Important!

Mail Forwarding• Go into Settings in Hotmail / Outlook• Select “View all Outlook settings”• Select “Forwarding”• Note: IF you have MFA enabled, you will need to approve it• If the “Enable Forwarding” box is checked, you’ve been

compromised and the actor is receiving your emails. Uncheck it.

• Check every month to make sure the attacker hasn’t returned.

Mail Forwarding in Office 365

For enterprise users:• Admins can disable forwarding

for the organization or allow it to be automatically controlled by the service.

• If it is allowed, have admins review the need on a quarterly basis and enforce password resets regularly with users who have forwarded accounts.

• Disable accounts where forwarding is no longer essential.

Social Media Abuse: Which one is Fake?

Final Thoughts

Wrap UpGet cloudy. Microsoft’s cloud technology, when coupled with smart cybersecurity practices, provides strong protection against nation state attacks.

Don’t overlook the basics. • Russia and Iran are actively using password spray tactics right now – strong passwords and

MFA matter a lot!• China will take advantage of unpatched systems or web bug to be able to leverage

information later.

Stay vigilant. There’s a reason these groups are called advanced persistent threats. Apply defense in depth principles to your enterprise and your digital person.

View the full report: https://aka.ms/MDDR

See interactive report highlights:https://www.Microsoft.com/en-us/securitynow

Thank you

Emerging Trends Since Shift to Remote Work

o Fairly steady state of nation-state attacks

• With Covid, we saw targeted/direct attacks to compromise organizationsor personal email of individuals tied to international response efforts orresearch on Covid.

o Malware/phishing emails modifying their tactics and COVID-themed lures/attacks

o Ransomware attacks taking advantage of unpatched VPNs

Digital Security Unit

How Orgs Can Prep for a Cybersecurity or Ransomware Event

The stakes have changed. There is a massive growthtrajectory for ransomware and extortion. To helpprotect your organization from ransomware, werecommend that organizations:

Prepare a Recovery Plan

Limit the Scope of Damage

Make it Harder to Get In

By forcing the attackers to work harder togain access to multiple business-criticalsystems.

By making it harder to access and disruptsystems, which minimizes the monetaryincentives for ransomware attackers andmakes it easier to recover from an attackwithout paying the ransom.

By following basic cybersecurity hygiene steps that make it more difficult for attackers to gain access to the network.

Digital Security Unit