Microsoft’s 2021 Digital Defense Report provides a useful summary of the current and emerging threat landscape for Security Managers and CISOs.  Read on for our summary of the key lessons from this year’s report.

Cyber crime for Dummies

We have seen increased industrialisation and commercialisation of cyber-crime over the last year.  Criminal gangs are now creating tools aimed at non-technical affiliates allowing them to jump on the ransomware bandwagon easily in return for a 30% affiliate fee of any ransom revenue earned.  Ransoms are paid into cryptocurrency escrow services run by other criminals providing some ‘assurance’ to the victims that the ransom will not be released unless the decryption code actually works.  In order to get the ransomware into the target network, compromised credentials are bought on markets hosted on the Dark Web for an average of just $0.97 per username and password pair or a denial of service attack can be ordered from a DDoS-as-a-service for $300 a month.

In the year to June 2021, the USA was the most hit by ransomware with just under 250 million computers being infected by ransomware according to Microsoft. The UK is fifth in this league table of shame with about 40m devices impacted – however when you allow for the UK population being just 20% of the USA, the rate of ransomware incidence is very similar.

Cyber security for Dummies

Basic security hygiene still protects against 98% of attacks says Microsoft.  The report goes on to summarise their definition of the five key elements of basic security hygiene:

Enable multi-factor authentication (MFA) – MFA will stop a stolen password from being used.  Whether it’s a onetime code from Google Authenticator, a passcode delivered by text message or using a dongle or physical security key – needing something other than the password to login is the single biggest step you can take to secure your network and key systems.

Always assign the least privilege access – when (not if) the bad guys get into your network, you can hobble their attempts to move around the network and escalate their access by ensuring that each login only has the minimum permissions necessary for the real account holder to be able to do their job.

Apply updates and patches promptly – every month software and device vendors publish updates and patches to their software that fixes known security vulnerabilities.  By promptly installing those patches on all your devices, from smartphones to laptops, servers to network routers – you minimise the window of opportunity for threat actors to make use of those vulnerabilities to attack your network.

Deploy anti-malware tools – gone are the days of installing an anti-virus app only on your desktop.  Today’s anti-malware tools look for malicious code of all flavours, not just viruses – and these tools live on your desktop, and on servers, and in your firewalls and in the cloud – all working together with real time threat telemetry coming from security vendors to identify and block emerging and novel threats in almost real time.

Protect your data – if an attacker still manages to get into your network and locate your valuable data – ensuring it is appropriately protected is a vital last line of defence.  By taking a risk based approach, you can ramp up the protection of the most sensitive data – and by knowing exactly where it is on your network you can be more confident in knowing whether any unauthorised access ever takes place.

Trust no-one

Microsoft believes that adopting a Zero Trust approach – that is, always assuming that a breach has occurred – is the future of network security, especially with the expected continuation of hybrid and remote working.  This includes taking steps such as rolling out Multi Factor Authentication – which prevents over 99% of credential theft attacks, and the move to other authentication methods such as the new password-less sign-in available for Azure Active Directory.

The Phishing Industry is alive and well

Phishing is the most common type of malicious email detected  by Microsoft, and threat actors are using increasingly sophisticated techniques in order to steal credentials.  The basic phishing email attempts to trick the victim into disclosing their username and password which the attacker captures to use later.  The increased use of multi-factor authentication blunts the effectiveness of this kind of attack.  The response of the cyber criminals is to try to steal OAuth access tokens by tricking the victim into granting permission to a malicious application to access their OAuth enabled account.  The key here is that OAuth tokens are not protected by MFA or other credential protections.  While anti-malware and email filters can block some of these kinds of phishing emails, staff Security Awareness training is still the most effective counter measure to help your team spot the dubious email before they click on any links.

Straight forward con tricks based on Business Email Compromise is, according to the FBI, still the cyber-crime that costs businesses the most.

The supply chain is the new front line

The emergence of the supply chain as a focus of cyber-crime was one of the key developments of the last year.  High profile compromises at Solarwinds and Kaseya brought the idea of supply chain attacks onto the radar of many security managers for the first time, and for suppliers, their cyber security ability will become a competitive advantage when bidding for new customers.  Supplier due diligence needs to be more than completing a questionnaire at the start of the relationship.  Ongoing monitoring of suppliers and active demonstration of ongoing compliance with agreed security protocols are going to be increasingly demanded which will bring their own governance and monitoring overheads for security teams.

From Cyber Security to Cyber Resilience

Two months into the COVID pandemic in May 2020, Satya Nadella said: ‘We have seen two year’s worth of digital transformation in two month.’  Centralised organisations became decentralised overnight as many staff were forced to work from home and the agility of IT departments to deploy new flexible working solutions became mission critical overnight.  Microsoft concludes their report with the idea that more than just security, the resilience of an organisation’s cyber (that is IT) systems to challenge and change will be how we think going forward.  This resilience will need to cope with challenges that are predictable (such as severe weather), unplanned (such as earthquakes) criminal or legal (such as a cyber-attack), and societal (such as a pandemic).  The role of IT leaders is to ensure the business continues to operate no matter what happens, and that data is kept confidential, integrity is maintained and systems are available where-ever staff happen to be located.

You can read the full report on Microsoft’s website here.