Basic security hygiene still protects against 99% of attacks.¹

The minimum standards every organization should adopt are:

• Enable multifactor authentication (MFA)
• Apply Zero Trust principles
• Use extended detection and response and anti-malware
• Keep systems up to date
• Protect data

1.Enable multifactor authentication (MFA)

Want to reduce attacks on your accounts? Turn on MFA. Multifactor authentication, as its name suggests, requires two or more factors of verification. Compromising more than one authentication factor presents a significant challenge for attackers because knowing (or cracking) a password won’t be enough to gain access to a system. With MFA enabled, you can prevent 99.9% of attacks on your accounts.²

Making MFA much, much easier

Multifactor authentication—while extra steps are part of the name, you should try to choose an MFA option with the least amount of friction (like using biometrics in devices or FIDO2 compliant factors such as Feitan or Yubico security keys) for your employees.

Avoid making MFA onerous.

Choose MFA when extra authentication can help protect sensitive data and critical systems rather than applying it to every single interaction.

MFA does not have to be challenging for the end user. Use conditional access policies, which allow for triggering two-step verification based on risk detections, as well as pass-through authentication and single sign on (SSO). This way end users don’t have to endure multiple sign-on sequences to access non-critical file shares or calendars on the corporate network when their devices are current with the latest software updates. Users also won’t have 90-day password resets, either, which will significantly improve their experience.

Common phishing attacks

In a phishing attack, criminals use social engineering tactics to trick users into providing access credentials or revealing sensitive information. Common phishing attacks include:

2. Applying Zero Trust principles

Zero Trust is the cornerstone of any resilience plan limiting the impact on an organization. A Zero Trust model is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction; asserts least-privilege access; and relies on intelligence, advance detection, and real-time response to threats.

When you adopt a Zero Trust approach, it becomes possible to:

• Support remote and hybrid work
• Help prevent or reduce business damage from a breach
• Identify and help protect sensitive business data and identities
• Build confidence in your security posture and programs across your leadership team, employees, partners, stakeholders, and customers

The Zero Trust principles are:

Assume breach
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly. This means constantly monitoring the environment for possible attack.

Explicitly verify
Ensure users and devices are in a good state before allowing access to resources. Protect assets against attacker control by explicitly validating the fact that all trust and security decisions use relevant available information and telemetry.

Use least privilege access
Limit access of a potentially compromised asset with just-in-time and just-enough-access (JIT/JEA) and risk-based polices like adaptive access control. You should only allow the privilege that is needed for access to a resource and no more.

Zero Trust security layers

There’s such a thing as too much security

Too much security—that is, security that feels overly restrictive to the everyday user—can lead to the same outcome as not having enough security in the first place—more risk.

Strict security processes can make it hard for people to do their job. Worse, they can inspire people to find creative shadow-IT–style workarounds, motivating them to bypass security entirely—sometimes by using their own devices, email, and storage—and using systems that (ironically) are lower security and present a higher risk to the business.

3. Using extended detection and response and anti-malware

Implement software to detect and automatically block attacks and provide insights to the security operations.

Monitoring insights from threat detection systems is essential to being able to respond to threats in a timely fashion.

Security automation and orchestration best practices

Move as much of the work as possible to your detectors
Select and deploy sensors that automate, correlate, and interlink their findings prior to sending them to an analyst.

—
Automate alert collection
The security operations analyst should have everything they need to triage and respond to an alert without performing any additional information collection, such as querying systems that may or may not be offline or collecting information from additional sources such as asset management systems or network devices.

—
Automate alert prioritization
Real time analytics should be leveraged to prioritize events based on threat intelligence feeds, asset information, and attack indicators. Analysts and incident responders should be focused on the highest severity alerts.

—
Automate tasks and processes
Target common, repetitive, and time-consuming administrative processes first and standardize response procedures. Once the response is standardized, automate the security operations analyst workflow to remove any human intervention where possible so that they can focus on more critical tasks.

—
Continuous improvement
Monitor the key metrics and tune your sensors and workflows to drive incremental changes.

Help prevent, detect, and respond to threats

Defend against threats across all workloads by leveraging comprehensive prevention, detection, and response capabilities with integrated extended detection and response (XDR) and security information and event management (SIEM) capabilities.

Remote access
Attackers frequently target remote access solutions (RDP, VDI, VPN, etc.) to enter an environment and run ongoing operations to damage internal resources.

To help prevent attackers from getting in, you’ll need to:

• Maintain software and appliance updates
• Enforce Zero Trust user and device validation
• Configure security for third-party VPN solutions
• Publish on-premises web apps

Email and collaboration software
Another common tactic for entering environments is to transfer malicious content with email or file sharing tools and then convince users to run it.

To help prevent attackers from getting in, you’ll need to:

• Implement advanced email security
• Enable attack surface reduction rules to block common attack techniques
• Scan attachments for macro-based threats

Endpoints
Internet-exposed endpoints are a favorite entry vector because they provide attackers access to an organization’s assets.

To help prevent attackers from getting in, you’ll need to:

• Block known threats with attack surface reduction rules that target certain software behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, or performing behaviors that apps don’t usually initiate during normal day-to-day work.
• Maintain your software so that it is updated and supported
• Isolate, disable, or retire insecure systems and protocols
• Block unexpected traffic with host-based firewalls and network defenses

Detection and response

Maintain constant vigilance
Use integrated XDR and SIEM to provide high quality alerts and minimize friction and manual steps during response.

—
Batten down legacy systems
Older systems lacking security controls like antivirus and endpoint detection and response (EDR) solutions can allow attackers to perform the entire ransomware and exfiltration attack chain from a single system.

If it’s not possible to configure your security tools to the legacy system, then you must isolate the system either physically (through a firewall) or logically (by removing credential overlap with other systems).

—
Don’t ignore commodity malware
Classic automated ransomware may lack the sophistication of hands-on-keyboard attacks, but that doesn’t make it any less dangerous.

—
Watch out for adversary disabling security
Monitor your environment for adversary disabling security (often part of an attack chain) like event log clearing—especially the Security Event log and PowerShell Operational logs—and the disabling of security tools and controls (associated with some groups).

4. Keeping up to date

Unpatched and out of date systems are a key reason many organizations fall victim to an attack. Ensure all systems are kept up to date including firmware, the operating system, and applications.

Best practices

• Ensure devices are robust by applying patches, changing default passwords, and default SSH ports.
• Reduce the attack surface by eliminating unnecessary internet connections and open ports, restricting remote access by blocking ports, denying remote access, and using VPN services.
• Use an internet-of-things and operational technology (IoT/OT)-aware network detection and response (NDR) solution and a security information and event management (SIEM)/security orchestration and response (SOAR) solution to monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar hosts.
• Segment networks to limit an attacker’s ability to move laterally and compromise assets after initial intrusion. IoT devices and OT networks should be isolated from corporate IT networks through firewalls.
• Ensure ICS protocols are not exposed directly to the internet.
• Gain deeper visibility into IoT/OT devices on your network and prioritize them by risk to the enterprise if they are compromised.
• Use firmware scanning tools to understand potential security weaknesses and work with vendors to identify how to mitigate the risks for high-risk devices.
• Positively influence the security of IoT/OT devices by requiring the adoption of secure development lifecycle best practices by your vendors.
• Avoid transferring files that contain system definitions through unsecure channels or to nonessential personnel.
• When transferring such files is unavoidable, be sure to monitor activity on the network and ensure assets are secure.
• Protect engineering stations by monitoring with EDR solutions.
• Proactively conduct incident response for OT networks.
• Deploy continuous monitoring with solutions like Microsoft Defender for IoT.

5. Protecting data

Knowing your important data, where it is located and whether the right systems are implemented is crucial to implementing the appropriate protection.

Data security challenges include:

• Reducing and managing the risk of user errors
• Manual user classification is impractical at scale
• Data must be protected outside of the network
• Compliance and security require a complete strategy
• Meeting increasingly stringent compliance requirements

5 pillars of a defense-in-depth approach to data security

Today’s hybrid workspaces require data to be accessed from multiple devices, apps, and services from around the world. With so many platforms and access points, you must have strong protections against data theft and leakage. For today’s environment, a defense-in-depth approach offers the best protection to fortify your data security. There are five components to this strategy, all of which can be enacted in whatever order suits your organization’s unique needs and possible regulatory requirements.

1. Identify the data landscape
Before you can protect your sensitive data, you need to discover where it lives and how it’s accessed. That requires complete visibility into your entire data estate, whether on-premises, hybrid, or multicloud.

2. Protect sensitive data
Along with creating a holistic map, you’ll need to protect your data—both at rest and in transit. That’s where accurately labeling and classifying your data comes into play, so you can gain insights into how it’s being accessed, stored, and shared. Accurately tracking data will help prevent it from falling prey to leaks and breaches.

3. Manage risks
Even when your data is mapped and labeled appropriately, you’ll need to take into account user context around the data and activities that may result in potential data security incidents, and that includes internal threats. The best approach to addressing insider risk brings together the right people, processes, training, and tools.

4. Prevent data loss
Don’t forget about the unauthorized use of data—that’s loss, too. An effective data loss protection solution needs to balance protection and productivity. It’s critical to ensure the proper access controls are in place and policies are set to help prevent actions like improperly saving, storing, or printing sensitive data.

5. Govern the data lifecycle
As data governance shifts toward business teams becoming stewards of their own data, it’s important that organizations create a unified approach across the enterprise. This kind of proactive lifecycle management leads to better data security and helps ensure that data is responsibly democratized for the user, where it can drive business value.

Conclusion

Although threat actors continue to evolve and grow more sophisticated, a truism of cybersecurity bears repeating: Basic cyber security hygiene—enabling MFA, applying Zero Trust principles, keeping up to date, using modern anti-malware, and protecting data—prevents 99% of attacks.

For help protecting against cyber threats, minimizing risk, and ensuring the ongoing viability of your organization, meeting the minimum standards for cyber security hygiene is essential.


^{12023 Microsoft Digital Defense Report
2One simple action you can take to prevent 99.9 percent of attacks on your accounts ]]> http://approjects.co.za/?big=en-us/security/business/security-insider/threat-briefs/cyber-resilience-hygiene-guide/feed/ 0 http://approjects.co.za/?big=en-us/security/business/security-insider/behind-the-scenes/expert-profile-dustin-duran/ http://approjects.co.za/?big=en-us/security/business/security-insider/behind-the-scenes/expert-profile-dustin-duran/#respond Tue, 20 Jun 2023 20:29:30 +0000 http://approjects.co.za/?big=en-us/security/business/security-insider/?p=3780}

My team tells the end-to-end attack story. We connect the dots between the different phases of an attacker kill chain to better understand the root causes of an attack, at a glance, while it’s happening.

We also copy attacker techniques and thinking.

Attackers approach the world in terms of objectives and sequences of activities. They chain different techniques together—it’s why we refer to these attack stories as “kill chains”—and move through pathways most beneficial to them. It’s not a linear process. We call it thinking in graphs.

As defenders, we must adopt the same mindset. We cannot condemn ourselves to think in lists, where we try to reassemble the entire jigsaw puzzle when an attack is underway. At a glance, we have to know how attackers gained access, how they’re moving laterally, what they’re working towards.

Defenders identify malicious activity more accurately when they understand the sequence of that activity together, not just individual techniques in isolation.

A great example is when we analyzed a recent series of financial fraud attacks and noticed how attackers were using a reverse proxy setup to bypass multifactor authentication (MFA). We noted the MFA bypass signals and drew communications to other instances where the emerging technique appeared. What we learned about credential harvesting from our ability to connect those dots allows us to respond earlier in the attack. It helps us be better defenders.

When asked what can be done to protect an organization better, I always say the same thing: Leveraging MFA consistently is critical. It’s one of the most important recommendations we provide. It’s one of the most essential things enterprises can do to defend themselves better, striving for that passwordless environment because that disables all the emerging attacker techniques. Using MFA properly makes attackers work harder. And if they can’t gain access to an identity and your org, launching an attack gets much more complicated.

Additional resources

To learn more about kill chains, business email compromise, and the modern attack surface, please look at the Microsoft resources below.

• The Anatomy of a modern attack surface threat brief
• The CISO Insider Issue 3: Cloud-centric security and how leading CISOs close coverage gaps report
• The Cyber Signals Issue 1: Identity is the new battleground report
• The Security is only as good as your threat intelligence threat brief featuring expert John Lambert

As the world becomes more connected and digital, cybersecurity is becoming more complex. Organizations are moving more infrastructure, data, and apps to the cloud, supporting remote work, and engaging with third-party ecosystems. Consequently, what security teams must now defend is a broader, more dynamic environment and an expanded set of attack surfaces.

Threat actors are taking advantage of this complexity, exploiting gaps in an organization’s protections and permissions and executing relentless, high-volume attacks. Attacks are often multi-faceted, spanning several elements of an organization’s operations and infrastructure. Attackers are also becoming more coordinated across a growing cybercrime-as-a-service landscape. In 2022, Microsoft’s Digital Crimes Unit blocked 2,750,000 site registrations to get ahead of criminal actors that planned to use them to engage in global cybercrime.¹

Keeping up with today’s threats means securing every main attack surface, including email, identity, endpoint, Internet of Things (IoT), cloud and external. From a security perspective, you’re only as strong as your weakest links — and attackers are getting better at finding those. The good news is that most threats can be stopped by implementing basic security measures. In fact, we’ve found that basic security hygiene still protects against 98% of cyberattacks.²

End-to-end visibility into threats is foundational for good security hygiene. The right threat intelligence gives security teams a comprehensive view of the threat landscape, enabling them to stay ahead of emerging threats and continually refine their defenses. And when threat actors do get in, holistic threat intelligence is essential to learning what happened and preventing it from happening again.

Below we’ll discuss threat trends and challenges related to six main attack surfaces in an organization: email, identity, endpoint, IoT, cloud, and external. Towards the end, we’ll come back to how the right threat intelligence can tilt the playing field and give security teams a powerful advantage.

1. Email remains a top threat vector and focus area for defense

For most organizations, email is an essential part of daily business operations. Unfortunately, email remains a top threat vector. 35% of ransomware incidents in 2022 involved the use of email.⁴ Attackers are carrying out more email attacks than ever before — in 2022, the rate of phishing attacks increased by 61% compared to 2021.⁵

Attackers also now commonly leverage legitimate resources to carry out phishing attacks. This makes it even more difficult for users to differentiate between real and malicious emails, increasing the likelihood that a threat slips through. Consent phishing attacks are one example of this trend, where threat actors abuse legitimate cloud service providers to trick users into granting permissions to access confidential data.

Without the ability to correlate email signals into broader incidents to visualize attacks, it can take a long time to detect a threat actor that gained entry via email. And by then it may be too late to prevent the damage. The median time it takes for an attacker to access an organization’s private data is just 72 minutes.⁶ This can result in serious losses at the enterprise level. Business email compromise (BEC) cost an estimated $2.4 billion in adjusted losses in 2021.⁷

In addition to safeguards such as URL checking and disabling macros, employee education is essential to preventing threats from having an impact. Simulated phishing emails and instructional materials on how to identify malicious content (even when it appears legitimate) are critical preventative security measures. We anticipate threat actors will continue to increase the quality of social engineering in their email attacks, leveraging AI and other tools to improve the persuasiveness and personalization of malicious emails. And this is just one example — as organizations get better at addressing today’s email threats, the threats will continue to evolve.

2. The expanded identity landscape also expands opportunities for threat actors

In today’s cloud-enabled world, securing access has become more critical than ever. As a result, gaining a deep understanding of identity across your organization — including user account permissions, workload identities, and their potential vulnerabilities — is vital, especially as attacks increase in frequency and creativity.

The number of password attacks rose to an estimated 921 attacks every second in 2022 — a 74% increase from 2021.⁸ At Microsoft, we’ve also seen threat actors get more creative in circumventing multi-factor authentication (MFA), using techniques such as adversary-in-the-middle phishing attacks and token abuse to gain access to organizations’ data. Phishing kits have made it even easier for threat actors to steal credentials. Microsoft’s Digital Crimes Unit has observed an increase in phishing kit sophistication over the past year, along with very low barriers to entry — with one seller offering phishing kits for as little as $6 per day.⁹

Managing the identity attack surface is more than securing user accounts — it spans cloud access, as well as workload identities. Compromised credentials can be a powerful tool for threat actors to use in wreaking havoc on an organization’s cloud infrastructure.



Attackers are frequently gaining access to third-party accounts or other highly privileged accounts connected to an organization, and then using those credentials to infiltrate the cloud and steal data. Though workload identities (identities assigned to software workloads like applications to access other services and resources) are often overlooked in permissions auditing, identity information hidden in workloads can give a threat actor access to an entire organization’s data.

As the identity landscape continues to expand, we expect that attacks targeting identity will continue to grow both in volume and variety. This means maintaining a comprehensive understanding of identity and access will continue to be mission critical.

3. Hybrid environments and shadow IT have increased endpoint blind spots

Given the sheer number of devices in today’s hybrid environment, securing endpoints has become more challenging. What hasn’t changed is that securing endpoints — particularly unmanaged devices — is critical to a strong security posture, since even one compromise can give threat actors entry into your organization.

As organizations have embraced BYOD (“Bring Your Own Device”) policies, unmanaged devices have proliferated. Consequently, the endpoint attack surface is now larger and more exposed. On average, there are 3,500 connected devices in an enterprise that are not protected by an endpoint detection and response agent.¹¹

Unmanaged devices (which are part of the “shadow IT” landscape) are particularly appealing to threat actors since security teams lack the visibility necessary to secure them. At Microsoft, we’ve found that users are 71% more likely to be infected on an unmanaged device.¹² Since they connect to company networks, unmanaged devices also present opportunities for attackers to launch broader attacks on servers and other infrastructure.

Unmanaged servers are also potential vectors for endpoint attacks. In 2021, Microsoft Security observed an attack where a threat actor took advantage of an unpatched server, navigated through directories, and discovered a password folder providing access to account credentials.



The attacker then signed into numerous devices throughout the organization to collect and exfiltrate extensive amounts of data, including intellectual property. This likely allowed the attacker to threaten release of the information if the subsequent ransom wasn’t paid. This is a practice known as “double extortion,” and it’s a concerning scenario we’ve seen more frequently over the past year.¹³ And even if the ransom is paid, there’s no guarantee that data will be unencrypted or even returned at all.

With the number of endpoints continuing to grow, threat actors will undoubtedly continue to see endpoints (particularly unmanaged ones) as attractive targets. As a result, improving endpoint visibility and security hygiene can offer organizations significant value.

4. IoT devices are growing exponentially—and so are IoT threats

One of the most overlooked endpoint attack vectors is IoT (Internet of Things) — which includes billions of devices, both large and small. IoT security covers physical devices that connect to and exchange data with the network, such as routers, printers, cameras, and other similar devices. It can also include operational devices and sensors (operational technology, or “OT”), such as smart equipment on manufacturing production lines.

As the number of IoT devices grows, so does the number of vulnerabilities. By 2025, IDC predicts that 41 billion IoT devices will be present within enterprise and consumer environments.¹⁵ Since many organizations are hardening routers and networks to make them more difficult for threat actors to breach, IoT devices are becoming an easier and more appealing target. We’ve often seen threat actors exploit vulnerabilities to turn IoT devices into proxies — using an exposed device as a foothold onto the network. Once a threat actor has gained access to an IoT device, they can monitor network traffic for other unprotected assets, move laterally to infiltrate other parts of their target’s infrastructure, or perform reconnaissance to plan large-scale attacks on sensitive equipment and devices. In one study, 35% of security practitioners reported that in the past 2 years, an IoT device was used to conduct a broader attack on their organization.¹⁶

Unfortunately, IoT is often a black box for organizations in terms of visibility, and many lack proper IoT security measures. 60% of security practitioners cited IoT and OT security as one of the least secured aspects of their IT and OT infrastructure.¹⁷



IoT devices themselves often contain dangerous vulnerabilities. Microsoft intelligence data uncovered that 1 million connected devices publicly visible on the Internet are running the Boa web server, an outdated, unsupported software still widely used in IoT devices and software development kits (SDKs).¹⁸

A growing number of countries are taking note of these blind spots and mandating improvements in IoT device cybersecurity.^19,20 These regulations are an indicator of the increased focus on IoT security, as businesses and consumers alike become more concerned about IoT device vulnerabilities. While IoT is currently in the spotlight, cybersecurity regulations are expanding in other areas too, making it even more urgent for organizations to gain visibility across attack surfaces.

5. Protecting the cloud is both critical and complex

Organizations are increasingly moving infrastructure, application development, workloads and massive amounts of data to the cloud. Securing the cloud environment means defending a range of services, including SaaS, IaaS and PaaS, distributed across multiple clouds. Given the breadth and distribution of services involved, it can be difficult to get the proper level of visibility and protection at each layer.

Many organizations struggle to gain end-to-end visibility across their cloud ecosystem, especially as data increasingly resides in multiple cloud and hybrid environments. Too often, this lack of visibility means there is a security gap. At Microsoft, we’ve found that 84% of organizations who suffered ransomware attacks did not integrate their multi-cloud assets with their security tooling, a critical oversight.²¹

The widespread move to the cloud has also increased the number of new attack vectors for cybercriminals to exploit, with many gaining access through gaps in permissions security. Unknown code-based vulnerabilities in applications developed in the cloud have dramatically increased the risk of compromise. As a result, the top cloud attack vector we’re seeing across organizations is now cloud app development.



Embracing a “Shift-left” security approach — incorporating security thinking in the earliest stages of app development — can help organizations strengthen their security posture and avoid introducing these vulnerabilities in the first place.

Cloud storage is another increasingly common attack vector, as incorrect permissions can put user data at risk. Additionally, cloud services providers themselves can be compromised. In 2021, Midnight Blizzard (a Russia-linked threat actor group formerly known as NOBELIUM) launched phishing attacks against a cloud services provider in an attempt to compromise and leverage privileged government customer accounts.²² This is just one example of a modern cloud threat, and we expect to see further cross-cloud attacks in the future.

6. Securing the external attack surface is an internet-scale challenge

Today, an organization’s external attack surface spans multiple clouds, complex digital supply chains and massive third-party ecosystems. The internet is now part of the network, and despite its almost unfathomable size, security teams must defend their organization’s presence throughout the internet to the same degree as everything behind their firewalls. And as more organizations adopt the principles of Zero Trust, protecting both internal and external attack surfaces has become an internet-scale challenge.

The global attack surface grows with the internet, and it is expanding every day. At Microsoft, we’ve seen evidence of this increase across many types of threats, such as phishing attacks. In 2021 Microsoft’s Digital Crimes Unit directed the removal of more than 96,000 unique phishing URLs and 7,700 phish kits, which led to the identification and closure of over 2,200 malicious email accounts used to collect stolen customer credentials.²⁴

The external attack surface extends far beyond an organization’s own assets. It often includes suppliers, partners, unmanaged personal employee devices connected to company networks or assets, and newly acquired organizations. Consequently, it is critical to be aware of external connections and exposure in order to mitigate potential threats. A 2020 Ponemon report revealed that 53% of organizations had experienced at least one data breach caused by a third party in the past 2 years, costing an average of $7.5 million to remediate.²⁵



As the infrastructure behind cyberattacks increases, gaining visibility into threat infrastructure and taking inventory of internet-exposed assets has become more urgent than ever. We’ve found that organizations often struggle to understand the scope of their external exposure, resulting in significant blind spots. These blind spots can have devastating consequences. In 2021, 61% of businesses experienced a ransomware attack that led to at least a partial disruption of business operations.²⁶

At Microsoft, we often tell customers to view their organization from the outside-in when evaluating security posture. Beyond VAPT (Vulnerability Assessment and Penetration Testing), it’s important to gain deep visibility into your external attack surface so you can identify vulnerabilities throughout the entirety of your environment and extended ecosystem. If you were an attacker trying to get in, what could you exploit? Understanding the full extent of your organization’s external attack surface is foundational to securing it.

<sup>1. 2022 Microsoft Digital Defense Report, p. 18
2. 2022 Microsoft Digital Defense Report, p. 108
3. 2022 Microsoft Digital Defense Report, p. 21
4. 2022 Verizon Data Breach Investigations report, p. 28
5. SlashNext’s State of Phishing Report Reveals More Than 255 Million Attacks in 2022, Signaling a 61% Increase in Phishing Year-Over-Year (prnewswire.com)
6. 2022 Microsoft Digital Defense Report, p. 21
7. 2021 FBI Internet Crime Report, p. 3
8. 2022 Microsoft Digital Defense Report, p. 2
9. 2022 Microsoft Digital Defense Report, p. 19
10. 2022 Microsoft Digital Defense Report, p. 14
11. 2022 Microsoft Digital Defense Report, p. 92
12. Secure unmanaged devices with Microsoft Defender for Endpoint now – Microsoft Security Blog
13. The many lives of BlackCat ransomware – Microsoft Security Blog
14. 40% fell victim to a phishing attack in the past month – Help Net Security
15. The Growth in Connected IoT Devices is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast | Business Wire
16. “The State of IoT/OT Cybersecurity in the Enterprise” 2021 Ponemon Institute Research Report, p. 2
17. “The State of IoT/OT Cybersecurity in the Enterprise” 2021 Ponemon Institute Research Report, p. 2
18. 2022 Microsoft Cyber Signals Report, p. 3
19. EU Cyber Resilience Act | Shaping Europe’s digital future (europa.eu)
20. Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products, NIST 2022
21. 2022 Microsoft Digital Defense Report, p. 16
22. 2022 Microsoft Digital Defense Report, p. 37
23. 2022 Microsoft Digital Defense Report, p. 95
24. Digital Crimes Unit: Leading the fight against cybercrime – On the Issues (microsoft.com)
25. The Rise Of Third-Party Digital Risk (forbes.com)
26. Malware Statistics in 2023: Frequency, impact, cost & more (comparitech.com)
27. 2021 Identity Theft Resource Center Annual Data Breach Report, p. 5</sup>

Cybercrime is big and growing bigger. As the threat landscape evolves and security perimeters expand, we aim to frame a macro problem on a micro scale. To illuminate the top threats organizations face in a year, we have broken down a year’s cybercrime research by the minute.

Today’s threat landscape

In any given 60-second window, the following malicious activity is happening.

The new threat infrastructure detections insight comes from internal RiskIQ data. Microsoft acquired RiskIQ in 2021 to help organizations assess the security of their entire digital enterprise.

Microsoft security data

Microsoft operates global services at a massive scale, allowing us to see, aggregate, and correlate threat signals across the globe and from a variety of industries. Our diverse spectrum of threat data from endpoints, identities, applications, and the cloud are reasoned over by our security researchers, who help to generate a high-fidelity picture of the current state of the threat landscape.

Cost of cybercrime

Cybercrime is a disruptive and economically corrosive force that causes trillions of dollars in damages every year. The cost of cybercrime comes from damage done to data and property, stolen assets—including intellectual property—and the disruption of business systems and productivity.

The expanding internet

As the internet continues to expand, opportunities for cybercrime expand too. And the same applies to organizations. The cloud migration, new digital initiatives, and shadow IT increase the size of the attack surface, and at the enterprise level, that can mean a vast estate spanning multiple clouds and massively complex ecosystems. Meanwhile, flourishing cheap infrastructure and flourishing cybercrime economies grow the threat landscape that organizations must track.

Conclusion

The threat landscape is dynamic, and Microsoft has an unparalleled view. We track more than 78 trillion signals every day to develop dynamic, hyper-relevant threat intelligence that evolves with the attack surface and helps us to detect and respond to threats rapidly.

We also offer this intelligence directly to customers, giving them a deep and unique view of the threat landscape, a 360-degree understanding of their exposure to it, and tools to mitigate and respond.

^{1 http://approjects.co.za/?big=security/blog/2021/05/12/securing-a-new-world-of-hybrid-work-what-to-know-and-what-to-do/}

^{2 https://www.itechpost.com/articles/110312/20220426/crime-grows-technology-1-billion-iot-devices-suffered-attacks-2021.htm#:~:text=In%202021%2C%20there%20was%20more,of%20cyberattacks%20to%20be%20successful
3 https://www.netscout.com/threatreport
4 https://www.helpnetsecurity.com/2022/03/03/phishing-attacks-december-2021
5 https://owasp.org/Top10/A03_2021-Injection/
6 RiskIQ internal data
7 https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021
8 https://www.securitymagazine.com/articles/97166-ransomware-attacks-nearly-doubled-in-2021
9 https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWUGFg
10 https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWUGFg
11 http://approjects.co.za/?big=en-us/security/business/microsoft-digital-defense-report
12 http://approjects.co.za/?big=en-us/security/business/microsoft-digital-defense-report
13 http://approjects.co.za/?big=en-us/security/business/microsoft-digital-defense-report
14 RiskIQ internal data
15 https://www.csis.org/analysis/economic-impact-cybercrim
16 https://www.dataprise.com/resources/blog/2022-cybersecurity-spending
17 https://www.statista.com/statistics/1273177/ecommerce-payment-fraud-losses-globally
18 https://www.cybereason.com/hubfs/dam/collateral/ebooks/Cybereason_Ransomware_Research_2021.pdf
19 https://ciphertrace.com/2020-year-end-cryptocurrency-crime-and-anti-money-laundering-report/
20 https://news.microsoft.com/on-the-issues/2022/05/03/how-microsofts-digital-crimes-unit-fights-cybercrime
22 https://cobalt.io/blog/business-cost-of-cybercrime
23 RiskIQ internal data
24 https://securitytoday.com/Articles/2020/01/13/The-IoT-Rundown-for-2020.aspx?Page=2
25 RiskIQ internal data
26 https://letsencrypt.org/stats/#growth
27 https://www.riskiq.com/resources/infographic/evil-internet-minute-2021/} ]]> http://approjects.co.za/?big=en-us/security/business/security-insider/threat-briefs/cyberthreat-minute-2022/feed/ 0 http://approjects.co.za/?big=en-us/security/business/security-insider/threat-briefs/anatomy-of-an-external-attack-surface/ http://approjects.co.za/?big=en-us/security/business/security-insider/threat-briefs/anatomy-of-an-external-attack-surface/#respond Sat, 09 Apr 2022 21:14:05 +0000 https://security-insider-dev-wp01.azurewebsites.net/en-us/security/business/security-insider/?p=1989

The cybersecurity world continues to become more complex as organizations move to the cloud and shift to decentralized work. Today, the external attack surface spans multiple clouds, complex digital supply chains, and massive third-party ecosystems. Consequently, the sheer scale of now-common global security issues has radically shifted our perception of comprehensive security.

The internet is now part of the network. Despite its almost unfathomable size, security teams must defend their organization’s presence across the internet to the same degree as everything behind their firewalls. As more organizations adopt the principles of Zero Trust, protecting both internal and external surfaces becomes an internet-scale challenge. As such, it’s increasingly critical for organizations to understand the full scope of their attack surface.

Microsoft acquired Risk IQ in 2021 to help organizations assess the security of their entire digital enterprise. Powered by the RiskIQ Internet Intelligence Graph, organizations can discover and investigate threats across the components, connections, services, IP-connected devices, and infrastructure that make up their attack surface to create a resilient, scalable defense.

For security teams, the sheer depth and breadth of what they need to defend may seem daunting. However, one way to put the scope of their organization’s attack surface into perspective is to think about the internet from an attacker’s point of view. This article highlights five areas that help better frame the challenges of effective external attack-surface management.

The global attack surface may be bigger than most think

The global attack surface grows with the internet

And it is growing every day. In 2020, the amount of data on the internet hit 40 zettabytes, or 40 trillion gigabytes. ¹ RiskIQ found that every minute, 117,298 hosts and 613 domains² add to the many interwoven threads making up the global attack surface’s intricate fabric. Each of these contains a set of elements, such as its underlying operating systems, frameworks, third-party applications, plugins, and tracking code. With each of these rapidly proliferating sites containing these nuts and bolts, the scope of the global attack surface increases exponentially.

Both legitimate organizations and threat actors contribute to this growth, which means cyber threats increase at scale with the rest of the internet. Sophisticated advanced persistent threats (APTs) and petty cybercriminals alike threaten businesses’ safety, targeting their data, brand, intellectual property, systems, and people.

In the first quarter of 2021, CISCO detected 611,877 unique phishing sites,³ with 32 domain-infringement events and 375 new total threats emerging per minute. ² These threats target organizations’ employees and customers with rogue assets, looking to fool them into clicking malicious links and phishing for sensitive data, all of which can erode brand confidence and consumer trust.

Sometimes, threat actors know more about an organization’s attack surface than their SOC does

The rise in vulnerabilities from a remote workforce

The rapid growth of internet-exposed assets has dramatically broadened the spectrum of threats and vulnerabilities affecting the average organization. With the advent of COVID-19, digital growth accelerated once again, with almost every organization expanding its digital footprint to accommodate a remote, highly flexible workforce and business model. The result: attackers now have far more access points to probe or exploit.

The use of remote access technologies like RDP (Remote Desktop Protocol) and VPN (Virtual Private Network) skyrocketed 41 percent and 33 percent⁴ respectively, with most of the world adopting a work-from-home policy. The global remote desktop software market size, USD 1.53 billion in 2019, will reach USD 4.69 billion by 2027.⁵

Dozens of new vulnerabilities in remote access software and devices have given attackers footholds they never had before. RiskIQ surfaced many vulnerable instances of the most popular remote access and perimeter devices, and the torrential pace of vulnerabilities hasn’t slowed. Overall, 18,378 vulnerabilities were reported in 2021.⁶

With the rise of global-scale attacks orchestrated by multiple threat groups and tailored for digital enterprises, security teams need to mitigate vulnerabilities for themselves, third parties, partners, controlled and uncontrolled apps, and services within and among relationships in the digital supply chain.

Threat actors don’t have to compromise assets to attack an organization or its customers

Digital supply chains, M&A, and shadow IT create a hidden attack surface

Most cyberattacks originate miles away from the network; web applications comprised the vector category most commonly exploited in hacking-related breaches. Unfortunately, most organizations lack a complete view of their internet assets and how those assets connect to the global attack surface. Three significant contributors to this lack of visibility are shadow IT, mergers and acquisitions (M&A), and digital supply chains.

Shadow IT

Where IT can’t keep pace with business requirements, the business looks elsewhere for support in developing and deploying new web assets. The security team is frequently in the dark regarding these shadow IT activities and, as a result, cannot bring the created assets within the scope of their security program. Unmanaged and orphaned assets can become a liability in an organization’s attack surface over time.

This rapid proliferation of digital assets outside the firewall is now the norm. New RiskIQ customers typically find approximately 30 percent more assets than they thought they had, and RiskIQ detects 15 expired services (susceptible to subdomain takeover) and 143 open ports every minute.²

Mergers and acquisitions

Everyday operations and critical business initiatives such as M&A, strategic partnerships, and outsourcing create and expand external attack surfaces. Today, less than 10 percent of deals globally contain cybersecurity due diligence.

There are several common reasons why organizations are not getting a complete view of potential cyber risks during the due diligence process. The first is the sheer scale of the company’s digital presence they’re acquiring. It’s not uncommon for a large organization to have thousands—or even tens of thousands—of active websites and other publicly exposed assets. While IT and security teams in the to-be-acquired company will have an asset register of websites, it’s almost always only a partial view of what exists. The more decentralized an organization’s IT activities are, the more significant the gap.

Supply chains

The enterprise is increasingly dependent upon the digital alliances that form the modern supply chain. While these dependencies are essential to operating in the 21st century, they also create a cluttered, layered, and highly complicated web of third-party relationships, many of which are outside the purview of security and risk teams to protect and defend proactively. As a result, quickly identifying vulnerable digital assets that signal risk is a massive challenge.

A lack of understanding and visibility into these dependencies have made third-party attacks one of the most frequent and effective vectors for threat actors. A significant amount of attacks now come through the digital supply chain. Today, 70 percent of IT professionals indicated a moderate-to-high level of dependency on external entities that might include third, fourth, or fifth parties.⁹ At the same time, 53 percent of organizations have experienced at least one data breach caused by a third party.¹⁰

While large-scale supply chain attacks become more common, organizations deal with smaller ones daily. Digital credit card skimming malware like Magecart affects third-party e-commerce plugins. In February 2022, RiskIQ detected more than 300 domains affected by Magecart digital credit card-skimming malware.¹¹

The mobile attack surface goes beyond major mobile app stores

App stores across the world contain apps targeting organizations and their customers

Each year, businesses invest more in mobile as the average consumer’s lifestyle becomes more mobile-centric. Americans now spend more time on mobile than watching live TV, and social distancing caused them to migrate more of their physical needs to mobile, such as shopping and education. App Annie shows that mobile spending grew to a staggering $170 billion in 2021, a year over year growth of 19 percent.¹²

This demand for mobile creates a massive proliferation of mobile apps. Users downloaded 218 billion apps in 2020. Meanwhile, RiskIQ noted a 33 percent overall growth in mobile apps available in 2020, with 23 appearing every minute.²

For organizations, these apps drive business outcomes. However, they can be a double-edged sword. The app landscape is a significant portion of an enterprise’s overall attack surface that exists beyond the firewall, where security teams often suffer from a critical lack of visibility. Threat actors have made a living taking advantage of this myopia to produce “rogue apps” that mimic well-known brands or otherwise purport to be something they’re not, purpose-built to fool customers into downloading them. Once an unsuspecting user downloads these malicious apps, threat actors can have their way, phishing for sensitive information or uploading malware to devices. RiskIQ blocklists a malicious mobile app every five minutes.

These rogue apps appear in official stores on rare occasions, even breaching the major app stores’ robust defenses. However, hundreds of less reputable app stores represent a murky mobile underworld outside of the relative safety of reputed stores. Apps in these stores are far less regulated than official app stores, and some are so overrun with malicious apps that they outnumber their safe offerings.

Threat infrastructure is more than what’s on the network

The global attack surface is a part of an organization’s attack surface, too

Today’s global internet attack surface has transformed dramatically into a dynamic, all-encompassing, and completely entwined ecosystem that we’re all a part of. If you have an internet presence, you interconnect with everyone else, including those that want to do you harm. For this reason, tracking threat infrastructure is just as important as tracking your own infrastructure.

Different threat groups will recycle and share infrastructure—IPs, domains, and certificates—and use open-source commodity tools, such as malware, phish kits, and C2 components to avoid easy attribution, tweaking and improving them to fit their unique needs.

More than 560,000 new pieces of malware are detected every day, and the number of phishing kits advertised on underground cybercrime marketplaces doubled between 2018 and 2019. In 2020, the number of detected malware variants rose by 74 percent.¹⁴ RiskIQ now detects a Cobalt Strike C2 server every 49 minutes.

Summary

Traditionally, the security strategy of most organizations has been a defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected. However, there are disconnects between that kind of strategy and the attack surface, as presented in this report. In today’s world of digital engagement, users sit outside the perimeter—as do an increasing number of exposed corporate digital assets and many of the malicious actors. Applying Zero Trust principles across corporate resources can help secure today’s workforce—protecting people, devices, applications, and data no matter their location or the scale of threats faced. Microsoft Security offers a series of targeted evaluation tools to help you assess the Zero Trust maturity stage of your organization.