Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
MicrosoftDigital Defense Report
CalChamber Cybersecurity WebinarJJ JonesSenior Corporate Counsel
OCTOBER 2021
Microsoft security signalsVolume and diversity of signals processed by Microsoft
Over 150 report contributors across these focus areas:
The state of cybercrime
Nation state threats
Supply chain, IOT, and OT security
Hybrid workforce security
Disinformation Actionable insights
THE MICROSOFT DIGITAL DEFENSE REPORT DRAWS ON INSIGHTS, DATA, AND SIGNALS FROM ACROSS MICROSOFT, INCLUDING THE CLOUD, ENDPOINTS, AND THE INTELLIGENT EDGE.
The growing threat of cybercrime• A threat to national security• Cybercriminals attacking all sectors• Ransomware attacks increasingly successful• Cybercrime supply chain continues to mature
POSITIVE TRENDS• Transparency: governments and
companies coming forward• Priority: new laws, task forces,
resources, partnerships
The cybercrime economy and services
WITH NO TECHNICAL KNOWLEDGE OF HOW TO CONDUCT A CYBERCRIME ATTACK, AN AMATEUR THREAT ACTOR CAN PURCHASE A RANGE OF SERVICES TO CONDUCT THEIR ATTACKS WITH ONE CLICK.
What we’re seeing in ransomware data and signalsRansomware encounter rate (machine count): Enterprise customers (Defender data)
Overall increase in ransomware encounters, with notable surge to consumer and commercial encounters in late 2019,6 when RaaS started to grow, and in early 2020 at the onset of the COVID-19 pandemic.
DART ransomware engagements by industry (July 2020-June 2021)
Deploy ransomware protection
The stakes have changed. There is a massive growth trajectory for ransomware and extortion.
Moving toward a hybrid workforce at MicrosoftGlobal pre-COVID onsite work and the rapid move to remote work, followed by gradual return
Global weekly unique badge scans (January – August 2021)
Zero Trust across the digital estateVISIBILITYAUTOMATIONORCHESTRATION
The basics matterLOOKING BACK AT THIS YEAR:
Email compromise is a continuing threat vector. Cybercriminals use malware posed as a legitimate software
update to target unsuspecting employees. Adversaries for organizations are targeting on-premises
systems, reinforcing the need to move infrastructure to the cloud where security is more difficult to penetrate.
Key takeaway: If compromised organizations had applied basic security hygiene like patching, applying updates, or turning on MFA, they may have been spared or less impacted.
ORGANIZATIONS THAT DO NOT APPLY OR MAINTAIN THESE BASIC HYGIENE PRACTICES WILL FACE MUCH GREATER EXPOSURE TO ATTACKS.
Disinformation as an emerging threat
Widely used consumer platforms and services, now provide state and non-state actors with powerful channels for distributing disinformation.
Mapping the problem
These methods are injecting new powers of persuasion into disinformation campaigns.
Disinformation as an enterprise disruptor• Disinformation has made its way into enterprise
workflows that are dependent on data collection, aggregation, and distribution practices.
• Enterprise signals and data could be compromised through security vulnerabilities or attacks and infused with disinformation.
• Situational intelligence could be supplanted with disinformation or nuanced in ways to generate bias or create doubt in the minds of decision makers.
Four-point plan for enterprise executives
1. Catalog enterprise exposures to disruption, manipulation, and disinformation.
2. Assess the impact of manipulation or disinformation.
3. Quantify the consequences of disruption.4. Assess privacy implications of disruption.
CHAPTER 3
Nation state threatsTracking nation state threats
What we’re seeing
Analysis of nation state activity this year
Private sector offensive actors
Comprehensive protections required
NATION STATE ACTORS TRY TO MEET GOVERNMENT OBJECTIVES –SURVEILLANCE, INFORMATION COLLECTION, DESTRUCTION, AND OTHER ACTIONS.
Key themes and takeaways•Despite the world’s attention on attacks coming from Russia and China, they continue to pursue intelligence objectives.
•Digital transformation and the cloud are key to combatting nation state attackers – fighting on premises attacks is hand to hand combat.
•Government leadership and partnership is continuing to grow, showing important progress.
LOOKING BACK AT NATION STATES THIS YEAR:
Attackers increase use of deception to pursue national objectives
• Focused efforts on exposing security vulnerabilities in the supply chain.• Targeted government agencies, IGOs, NGOs, and think tanks for espionage or surveillance.
• Increased reliance on remote work infrastructure gave malicious actors new vectors to target private networks.
NATION STATE ACTORS APPEAR TO BE INCREASING THE SCALE AND VOLUME OF ATTACKS TO EVADE DETECTION.
Countering nation state activity5-PRONGED APPROACH
Tracking and reporting nation state threats
•Nation state notifications (NSNs) are sent to customers and individuals targeted or compromised
•Data in the Nation State chapter is based on NSNs sent• Information comes from Microsoft cloud services
Empower customers
Leverage technology
Take technical action against malicious operations
Pursue legal action: Digital Crimes Unit
Inform public disclosure and policy
A sample of what we’re seeing globallyJuly 2020-June 2021
Most targeted countries Most targeted sectors Most active nation state activity groups
Russia analysis: Activity and motivations NOBELIUM and abuse of supply chain and other trusted technical relationships A range of techniques to evade detection and attribution Higher rates of compromise achieved and more government organizations targeted Seeking intelligence on the United States and Europe
China analysis: Activity and motivations HAFNIUM and the Exchange vulnerabilities More 0-days and other exploitation of vulnerabilities Worldwide intelligence collection operation
China (continued)
China: Top five targeted industries/sectors China: Target attempts vs successful compromise
HAFNIUM: Top targeted industries/verticals (Prior to the increase in Exchange Server exploitation)
July 2020-June 2021
The most prevalent targets of China-based threat activity were government entities worldwide. The targeting of three countries’ government entities accounted for half of the NSNs issued and 23 countries accounted for the remaining half.
Chinese nation state threat actors were successful in compromising victims 44% of the time. However, because they are an advanced persistent threat, if they are tasked to target an entity for intelligence collection, they will find another vulnerability to leverage to gain access.
In early March 2021, Microsoft blogged about HAFNIUM for the first time related to the detection of multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server. HAFNIUM, based on observed victimology, tactics, and procedures, primarily targets entities in the United States across a number of industry sectors.
Iran analysis: Activity and motivations
Focused on Israel with new attack tools amid broader escalation A wait-and-see approach toward the United
States likely serves two purposes
Iran: Most targeted countries (July 2020–June 2021)
Iran: Flow of a typical PHOSPHORUS compromise from spear phish
Conferences, conventions, and trade shows are widely known throughout industry and the US government as a hotbed of intelligence collection activities, both by domestic competitive intelligence and foreign adversaries.
North Korea analysis: Activity and motivations Vast appetite for intelligence New type of cyberattack created in global pandemic Nation state Bitcoin theft Sophisticated social engineering targeting security researchers
Vietnam
Turkey
• BISMUTH utilized cryptocurrency miners to target private sector and government institutions in France and Vietnam.
• Carefully planned attacks, conducting reconnaissance before creating uniquely crafted spear-phishing emails.
• Once it compromised networks, BISMUTH sought to achieve continuous monitoring.
• SILICON pursues intelligence collection for strategic Turkish interests from a variety of countries, primarily in the Middle East and the Balkans.
• Reconnaissance indicates heavy focus on countries of strategic interest to Turkey including Armenia, Cyprus, Greece, Iraq, and Syria.
• Regularly target telecommunication and IT companies, likely to establish a foothold upstream of their desired target.
Additional Information
Defending against nation state threats
Protect your organization, protect yourself
Protect your Digital Estate Multi-factor authentication Defense in depth strategies Monitoring and logging Patch! Credential hygiene Assume breach Asset inventory Educate employees Repeat
Protect your Digital Person Strong passwords Multi-factor authentication Patch everything Use VPN services when mobile Change default passwords in
IOT or other devices you use Every quarter: Back up your personal data Check your account recovery information Ensure mail forwarding is disabled
Use an Authentication App Multifactor Authentication is essential to your personal security
Use a VPN Service on your phone
Sets a secure connection from the network you are on to a network you’re trying to reach
Look for a well-known VPN provider that respects security
Helps protect your personal communications on mobile devices Very important when traveling
Mail Forwarding Rules – Important!
Mail Forwarding• Go into Settings in Hotmail / Outlook• Select “View all Outlook settings”• Select “Forwarding”• Note: IF you have MFA enabled, you will need to approve it• If the “Enable Forwarding” box is checked, you’ve been
compromised and the actor is receiving your emails. Uncheck it.
• Check every month to make sure the attacker hasn’t returned.
Mail Forwarding in Office 365
For enterprise users:• Admins can disable forwarding
for the organization or allow it to be automatically controlled by the service.
• If it is allowed, have admins review the need on a quarterly basis and enforce password resets regularly with users who have forwarded accounts.
• Disable accounts where forwarding is no longer essential.
Social Media Abuse: Which one is Fake?
Final Thoughts
Wrap UpGet cloudy. Microsoft’s cloud technology, when coupled with smart cybersecurity practices, provides strong protection against nation state attacks.
Don’t overlook the basics. • Russia and Iran are actively using password spray tactics right now – strong passwords and
MFA matter a lot!• China will take advantage of unpatched systems or web bug to be able to leverage
information later.
Stay vigilant. There’s a reason these groups are called advanced persistent threats. Apply defense in depth principles to your enterprise and your digital person.
View the full report: https://aka.ms/MDDR
See interactive report highlights:https://www.Microsoft.com/en-us/securitynow
Thank you
Emerging Trends Since Shift to Remote Work
o Fairly steady state of nation-state attacks
• With Covid, we saw targeted/direct attacks to compromise organizationsor personal email of individuals tied to international response efforts orresearch on Covid.
o Malware/phishing emails modifying their tactics and COVID-themed lures/attacks
o Ransomware attacks taking advantage of unpatched VPNs
Digital Security Unit
How Orgs Can Prep for a Cybersecurity or Ransomware Event
The stakes have changed. There is a massive growthtrajectory for ransomware and extortion. To helpprotect your organization from ransomware, werecommend that organizations:
Prepare a Recovery Plan
Limit the Scope of Damage
Make it Harder to Get In
By forcing the attackers to work harder togain access to multiple business-criticalsystems.
By making it harder to access and disruptsystems, which minimizes the monetaryincentives for ransomware attackers andmakes it easier to recover from an attackwithout paying the ransom.
By following basic cybersecurity hygiene steps that make it more difficult for attackers to gain access to the network.
Digital Security Unit