Jon AbbottMicrosoft Digital Defense Report 2022
Microsoft stress how critical it is to ensure your security controls are deployed, functioning and checked.
For those of you eager for the crux of the report, the vital elements are:
- Cybercrime has been industrialised
- Identity Controls are critical
- Privileged accounts are getting heavily targeted
- Excellent Cyber Hygiene still prevents 98% of all attacks
However, hopefully you are keen to dig into more of the details. ‘From my perspective’ the Microsoft Digital Defense reports are one of the most critical sources for getting a deep understanding of the current cybersecurity landscape. This year’s report is a whopping 114 pages, therefore I thought it would be useful to pull out the key takeaways and recommended actions.
This is the 3rd annual Microsoft Digital Defense report and I think each one is an improvement on the last. The insight they provide into the entire cybersecurity landscape is fascinating. Due to the vast amount of data they are crunching, there are few companies in the world that can provide evidence of attack methods to this level.
This year’s report is broken down into the following sections:
- The State of Cybercrime
- Nation State Threats
- Device & Infrastructure
- Cyber Influence Operations
- Cyber Resilience
This summary is focussed on sections 1, 3 and 5, relevant to Enterprise Cybersecurity Leaders.
The State Of Cybercrime
Cybercriminals are getting extremely organised and sophisticated in the way they operate. This has now created a huge cybercriminal ecosystem where different groups are becoming specialist in different areas of a full attack cycle. It has been known for years that cybercriminals operate their organisations just like a business. However this evolution of specialism means that the cybercriminals are becoming experts in their chosen field which in turn means the level of sophistication is increasing rapidly.
For example a typical ransomware attack will involve the following specialist groups:
- Operators – who use the RaaS
- Ransomware as a Service (RaaS) platform such as Conti, REevil
- Affiliates – who move laterally in the network, persist on systems, and exfiltrate data
- Access brokers – they sell network access and credentials to other Cybercriminals
Having different specialists working on part of the attack makes it far more challenging to pinpoint the individuals and stop them.
*Copyright the Microsoft Digital Defense Report 2022.
Industrialised Revolution Of Cybercrime
Cybercrime is becoming a huge criminal industry and has created a huge range of “Cybercrime as a Service” services. The number of “services” that cybercriminals are offering is broad, such as:
- Compromised credentials for sale
- Phishing as a service (PhaaS)
- Homoglyph domain creation
Compromised credentials for sale
The details of this are staggering, for example you can purchase compromised accounts from specific locations, industries and job roles, such as CFOs from Medical companies. Just like you were purchasing a list of prospect contacts from a legitimate data provider. These lists of compromised credentials are even broken down into different services, such as 365, VPNs, RDP, SSH or cPanel.
You can order a full DDoS service from a DDoS subscription service for as little as $500 a year, which includes a 24×7 support service!
Phishing as a Service (PhaaS)
PhaaS is another example of a full end-to-end cybercrime service which is available on a subscription model, this includes an array of phishing email templates, email addresses to target and a even the landing page of the phish hosted for you.
Homoglyph domain creation
Another interesting service they offer is homoglyph domains, which are domain names that look very similar to your target. You can order these from the CaaS with cryptocurrency. You have probably even seen these in phishing attacks you have been targeted by.
This industrialisation of cybercrime means that the barrier to entry is lower than ever. As long as someone has a motive and some cryptocurrency, they can now start a very advanced hacking campaign all bundled up in a single monthly subscription. The diagram below shows how simple it is to conduct an advanced Phishing campaign by using PhaaS.
*Copywrite the Microsoft Digital Defense Report 2022
Industrialised Revolution Of Cybercrime
The ease in which ransomware attacks can be started by operators purchasing these Cybercrime services means that the number of total attacks and in turn successful attacks is on the rise. To increase the success level of each attack, people take decisions at each stage of the attack, Microsoft have termed this activity as “Human operated ransomware”. You can see how successful these attacks are, this looks very much like a Sales Pipeline for hackers! A prospect list of 2,500 filtered through to a single successful attack.
There are two phases to a Human Operated Ransomware attack, the “Pre-Ransomware” and “Deployment”. The Pre-Ransomware stage can last from a couple of days to a few months. The goal of this stage is understand the network, establish the critical systems, find some valuable data and prep everything so that when the ransomware hits, it causes maximum disruption. This will include activities like stealing some valuable data for extortion and finally disabling & deleting backups.
Once the environment is prepared, the deployment of ransomware will happen which only lasts a few minutes but the disruption caused is likely to have an impact lasting months, if not years.
Details of Environments That Are Typically Compromised
Following a successful ransomware attack, Microsoft are often called to assist with the investigation and the clean-up operation. Microsoft have collated details about the typical state of an environment that is breached. These are the main factors that allow attackers to be successful:
- Ineffective security controls
- Weak identity controls
- Poor data protection strategy
Ineffective Security Controls
Standard security controls issues such as a flawed or non-existent patching procedure, misconfiguration of security tools, not having EDR successfully deployed on all endpoints and finally not having a single view of the multi-cloud environments they are responsible for.
Weak Identity Controls
Examples of these weaknesses are not:
- Enabling best practices on AzureAD
- Enforcing MFA, especially on privileged accounts
- Having dedicated privileged access workstations
- Implementing Privileged Access Management & Privileged Endpoint Management
Poor Data Protection Strategy
Critical items like Active Directory were not even backed up. Additionally there was no Data Loss Prevention strategy or tools in place, which meant that sensitive data was extracted before the ransomware was deployed.
Rise In Phishing Attacks
Phishing attacks which are specifically designed to steal your credentials are on the rise. Microsoft are doing what they can by blocking 710 million phishing emails a week. However many continue to get through defences, and once they are clicked on the average time for an attacker to access private data is 1 hour and 12 minutes. Once a device has been compromised it takes under 2 hours before the attacker has managed to laterally move throughout the network.
This rise of phishing attacks, is naturally resulting in more Business Email Compromise (BEC). The usual defences are needed to prevent this rise in successful attacks, which unfortunately are not being adopted quickly enough, these are:
- MFA on all accounts
- Enable conditional access rules for highly privileged accounts, such as limited to home country
- Implement phishing simulations
Cybercriminal Abuse Of Infrastructure
Internet Gateways used as a Command & Control
Internet routers, especially at home, are being taken over by cybercriminals to be used as a part of a botnet. Scans are initiated by cybercriminals to find vulnerable routers that are exposed to the internet. Once the device has been compromised the attacker can then focus their efforts on local computers on the network.
Through observing SSL certificates traced back to Command & Control, Microsoft have been able to establish that MikroTik, Ubiquiti and LigoWave routers are all being used as a reverse proxy for specifically designed malware which is running on the compromised computer.
Business VMs to be used as criminal infrastructure
Cyber criminals are conscious of their costs, therefore instead of using their own computers they hack into an organisation and take over their Cloud virtual platform, such as Azure & AWS. Once in the environment they quickly spin up virtual servers using prepared scripts. They may create thousands of servers to start cryptocurrency mining and running large scale email spam attacks, phishing attack and malicious websites. All this activity of course creates a huge bill for the legitimate organisation that was broken into.
Great cyber hygiene from both a device and user perspective are critical to protect computers and is vital for all remote workers who are likely to be protected by a low grade router. In regards to Cloud environments it is crucial to have strong identity controls and to follow best practice when configuring Cloud environments.
Cyber resilience has become a term due to the realisation that cyber attacks are becoming common place in modern business. In fact they are now so prevalent that if you are in business for long enough, it is predicted you will suffer a breach. In the same way that any Enterprise will have a Business Continuity plan, and perform regular disaster recovery simulations, simulated cyber attacks are already becoming the norm.
When you view cybersecurity through this lens, it demonstrates how it important it to be cyber resilience, Microsoft describe it as:
A CRUCIAL FOUNDATION OF A CONNECTED SOCIETY.
Cyber resiliency requires a holistic, adaptive, and global approach that can withstand evolving threats to core services and infrastructure.
Looking at this chart showing the key issues that impact cyber resilience, I would like to point out the criticalness of these basics in particular being missed:
- Limited use of MFA throughout organisations
- Lack of patch management
- Gaps in security monitoring coverage and integration
Microsoft do a fantastic job of explaining these problems in simple terms with clear actions:
Basic security configurations need to be switched on
Microsoft report that basic security posture is a determining factor in advanced solution effectiveness. One of the critical issues that Microsoft pinpoint is that Endpoint Detection & Response only work if the agent has been installed during the build and then continually checked to be functioning.
Focus on best practices in security configuration
Furthermore Microsoft’s data reveals that implementing best practices in security configuration is a greater indictor of resilience as opposed to how quickly the SOC respond to incidents.
This is logical, because your SOC are going to be responding to incidents, i.e. some form of breach has already occurred. Therefore if you are tracking your cyber resilience on how quickly your SOC responds, you are never going to improve your cyber resilience as opposed to ensuring you are rolling out the best practices in security configuration. As opposed to focusing on your security configuration which will help towards preventing a breach occurring in the first place, therefore improving you cyber resilience.
Risk posed by unknown devices
In terms of Cyber Asset Management, ThreatAware acknowledge that unknown devices are the first critical challenge that needs to be addressed. Microsoft also recognise the huge risk that unknown devices pose, as they don’t have an EDR installed but might have access to enterprise resources or even to high value assets. Even if devices not supported by an EDR agent, the organisation should at least be aware of their existence and act to protect them by assessing vulnerabilities, as well as restricting network access. This is a huge problem globally, in fact Microsoft cite that on average enterprises have 3,500 unknown devices that not protected by an EDR.
3,500 AVERAGE NUMBER OF CONNECTED DEVICES IN AN ENTERPRISE THAT ARE NOT PROTECTED BY AN ENDPOINT DETECTION AND RESPONSE AGENT.
A new threat has been identified, which is where a cyber criminal directs a victim to a fake Microsoft 365 sign-in page and deploy a specialised piece of malware. The page steals the credentials and the malware steals the MFA token. These are both “replayed” on the criminal’s environment and they break into the account. This is why the attack is being termed “token replay”.
Due to people not paying attention to MFA requests, they are clicking on MFA requests without double checking if they are actually linked to their sign in request.
The age-old issue of patches not getting rolled out quickly enough is as prevalent as ever and is leaving millions of devices exposed to vulnerabilities. The best way to resolve this is to have a dedicated patching solution, that also handles 3rd party software along with regularly uninstalling unused applications.
Integrating Business, Security, And It For Greater Resilience
As with everything in business, culture is the thing that drives change and culture is formed from the top. This is why Microsoft suggest that business owners are the best people to be ultimately responsible for cybersecurity. Business leaders need to align with security leaders to ensure that the security projects are given the correct priority, resource and budget.
From an organisational perspective, security leaders should ensure the following always happens:
- Security should always be built into all new initiatives. It is far cheaper to involve security at the start instead of trying to shoehorn it in at a later date.
- Security maintenance windows should be standard practise, to ensure that security patches, updates and configuration changes are rolled out on schedule every month.
- The identification of critical business assets are performed regularly.
- Cybersecurity business continuity and disaster recovery tests are conducted at least annually. Ideally though these are conducted quarterly, as the more you drill these the less stressful and therefore rapid the recovery will be.
- The security leaders should push towards the business owners being accountable for security.
The Cyber Resilience Bell Curve
I always feel that this last page of this entire report should be the first, as it seems the most critical. From all the evidence that Microsoft have gathered they suggest all businesses, regardless of industry, should do the following:
- Enable MFA on all accounts.
- Ensure users and devices are in a good state before allowing access to resources.
- Use least privilege access—only allow the privilege that is needed for access to a resource and no more.
- Assume breach—assume system defenses have been breached and systems might be. This means constantly monitoring the environment for possible attacks.
- Use extended detection and response anti-malware: Implement software to detect and automatically block attacks and provide insights to the security operations. Monitoring insights from threat detection systems is essential to being able to respond to threats in a timely fashion.
- Keep up to date: Unpatched and out of date systems are a key reason many organizations fall victim to an attack. Ensure all systems are kept up to date including firmware, the operating system and applications.
- Protect data: Knowing your important data, where it is located and whether the right systems are implemented is crucial to implementing the appropriate protection.
Criminals are making fortunes from their cybercrime activities. Their ability to adapt and scale out their operations is on par with a high performing business. This is creating an army of cybercriminal operators who are conducting large scale human operated ransomware attacks, amongst other malicious activity.
What the Microsoft report proves is, by focusing on your Identity and Endpoint controls you can keep your business cyber resilient against todays and tomorrow’s threats.
Please get in touch if you want to find out more about how ThreatAware can help with this critical part of your cyber resilience.