- By Kurt Mackie
Microsoft on Tuesday announced the release of its “Digital Defense Report,” which is described as “a reimagining” of Microsoft’s “Security Intelligence Report” (SIR).
The “Digital Defense Report” is an annual publication combining stats from a number of Microsoft’s security teams. This 88-page report isn’t as focused on reporting malware trends as the SIR. It’s more a report on cybercriminal trends over the past year. Microsoft even serves a role by coordinating with law enforcement in some cases.
“The goal of this report is to help organizations understand how cybercriminals are shifting their modes of attack and the best ways to combat those attacks,” the report stated upfront.
The report also has a section on nation-state actors, principally highlighting the actions of Russia, Iran, China and North Korea. Microsoft’s past warnings about hacking attempts on U.S. political campaigns was noted.
In general, the report appears to be aimed at the chief information security officer level, as well as general readers. It includes details regularly aired in Microsoft’s Security blog series.
Microsoft harvests more than “8 trillion security signals per day” from endpoints, the network edge and the cloud. The privacy of such data collection depends on “your privacy settings and the products and features you use,” the report stated in a footnote.
Signals harvesting was broken down into the following numbers:
- >470 billion e-mails scanned
- >600 billion documents scanned
- >18 million URLs scanned
- >4.1 billion meeting minutes delivered
- >630 billion authentication events
- >5 billion threats blocked
Phishing for Credentials
Phishing impersonation attempts in order to steal credentials were a major theme of the report. Microsoft claims its solutions blocked more than “13 billion malicious and suspicious mails.” They typically included URLs set up to enable phishing credential attacks.
“We’re seeing approximately 2 million such URL payloads being created each month for credential harvesting, orchestrated through thousands of phishing campaigns,” the report indicated.
Attackers are interested in business e-mail compromise (BEC), spoofing executive identities in e-mails to trick employees into transferring funds. They target executive, accounting and payroll e-mail accounts. It’s profitable, and a big part of criminal operations. The report cited IC3 stats to that effect: “According to the IC3, BEC complaints totaled 23,775 and accounted for losses of more than $1.7 billion — representing nearly half of all financial losses owing to cybercrime.”
The report found that “the top 10 most targeted industries for BEC attacks are accounting and consulting, wholesale distribution, IT services, real estate, education, health care, chemicals, high tech and electronics, legal services, and outsourced services.”
Cybercriminals typically send spoofed e-mails pretending they are from official sources to get users to click on malicious links. The report found that “based on our Office 365 telemetry, the top five spoofed brands are Microsoft, UPS, Amazon, Apple, and Zoom.”
Microsoft itself tests its own employees to ensure they’re not falling for phishing campaigns:
Every year, we provide more than 200,000 employees and external staff with the experience of being phished, along with prevention education and reporting guidance. We then follow up with users who were susceptible through quarterly simulations to help them better identify key indicators in the future.
As detection techniques have improved, cybercriminals are tending to use cloud services to conduct their attacks. Microsoft has also seen other “creative” approaches in the last year:
Over the last year, we saw interesting techniques used for launching attacks. We saw cybercriminals using poisoned search results and legitimate URLs that linked to those searches to deliver an attack. In another attack, we saw cybercriminals use custom 404 pages to host phishing payloads. We’ve also seen man-in-the-middle components used to present less suspicious sites to the targets and captcha and other evasion tools to hide detections.
Ransomware was the “the most common reason” why Microsoft’s Detection and Response Team (DART) got involved in incident response work “from October 2019 through July 2020.”
The report seemed to steer away from the position that organizations should pay a ransom, even if reconstructing operations would cost more than the ransom sum. It suggested that “the real damage is often done when the cybercriminal exfiltrates files for release or sale, while leaving backdoors in the network for future criminal activity — and these risks persist whether or not the ransom is paid.”
To gain a foothold to install ransomware, criminals are looking to access privileged accounts, such as the ones used by IT pros:
Cybercriminals rely on off-the-shelf tools used for systems administration or security testing and built-in tools to move from machine to machine, but they need administrative credentials, such as those of a domain administrator, to gain access. To deploy ransomware across an entire organization, cybercriminals must capture a credential and a system with the rights to do this. Domain administrator accounts are often used for their ability to utilize Active Directory policies and file shares intended for software distribution to maliciously deploy devastating ransomware payloads.
Patch Those VPNs
The shift toward supporting remote workers has made virtual private networks (VPNs) a more sensitive area, both in terms of an attack route and in terms of network bandwidth issues. VPNs can be subject to distributed denial-of-service attacks, for instance. Microsoft recommends split tunneling to deal with the bandwidth issues, where Microsoft’s patch traffic becomes a trusted source that doesn’t get funneled through the VPN.
Keeping VPNs properly patched is another problematic trend Microsoft has been seeing:
As the world adjusts to increased numbers of remote workers, global enterprise IT departments rely on VPNs to improve the connectivity and security of systems. Typically, this critical service is managed by third-party software deployed across our devices. Since mid-2019, Microsoft has observed nation state actors consistently targeting and frequently compromising outdated and unpatched VPN infrastructure. This activity indicates they view it as an easy and effective method for penetrating and persisting on a targeted network by using compromised credentials.
Microsoft’s Security Recommendations
The report includes an “Actionable Learnings” section at the end. Microsoft is recommending that organizations turn on multifactor authentication (MFA), which adds a secondary identity verification scheme on top of a password, as a top security approach. MFA should be mandatory for IT pros managing a network, and is recommended for all end users.
“The preferred method is to use an authenticator app rather than SMS or voice where possible,” the report advised regarding the secondary identity verification method.
Microsoft is also recommending using identity verification approaches that don’t rely on a password, such as “face authentication, fingerprints or a PIN code.”
Organizations should have e-mail systems that check for malicious links, according to the report.
Systems should be kept up to date with the latest patches, including VPNs. “Ransomware operators and nation state actors have found network devices like gateway and VPN appliances to be a practical target for intrusion,” the report warned.
Network misconfigurations are another attack route. Microsoft recommends having a “robust change management program” to ensure that changes don’t open up attack vectors. IT pros should segment systems containing sensitive data to better protect against attacks.
IT pros also have solutions to manage “cross-cloud security.” Developers should follow a secure development lifecycle. The practice of least-privilege access should be followed for personnel. Microsoft also advocates for zero-trust practices, where “every request is fully authenticated, authorized, and encrypted before granting access.”
Organizations should have a backup capability in place. Microsoft recommended following the “3-2-1 rule” in that respect. “Apply the 3-2-1 rule for maximum protection and availability: 3 copies, original + 2 backups, 2 storage types, and 1 offsite or cold copy,” the report stated.
Much more advice from Microsoft can be found in the full report, which can be downloaded here.