Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
February 12, 2021


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

Cyber security

Top 4 takeaways from Microsoft’s Digital Defence Report

Jérôme Robert, Managing Director North America, Alsid, offers IFSEC Global readers four key takeaways from Microsoft’s 80 page 2020 Digital Defence Report.  

In these uncertain times, there is one certainty – cyberthreats. Bad actors have delighted in the expansion of the digital attack surface as the world turned to remote work almost overnight. Gnawing away at the fabric of our virtual lives and exploiting the pandemic, organised cybercriminals, nation states, and opportunists have had a busy year. Against that backdrop, the annual release of Microsoft’s Digital Defence Report makes for an interesting read.

Alsid-MicrosoftDigitalDefence-21Delivering the full security intelligence picture via eight trillion daily signals and thousands of experts across Microsoft’s ecosystem, the Digital Defence Report spotlights key learnings from an exceptional year. Perhaps because of how “unprecedented” (sorry) 2020 has been, the report runs some 80-odd pages. In case that’s too many to digest, we’ve done the chewing for you. So here are five key takeaways to bring you up to speed with the security landscape in 2021.

If your cyber defence strategy didn’t evolve in 2020, you’re doing it wrong 

The cyber landscape reflects the changes and disruptions in our physical and digital worlds – and throughout 2020 there were plenty. Just as criminals evolve their mode of attack, cyber defence must evolve to protect ever-changing digital assets. The Microsoft Defence Report highlights three key, high-level areas of focus where threats peaked: cybercrime, nation state threats, and the remote workforce.

Cybercriminals exploited the fear and interest in COVID-19, imitating healthcare organisations to lure employees into clicking malicious links and attachments. Meanwhile, nation state actors waited patiently for their targets – often NGOs like advocacy groups, nonprofits, and think tanks – to fall prey to espionage, disruption, or destruction of data. Finally, an overnight switch to remote work left many businesses scrambling to secure the workforce as operational procedures transformed, security boundaries extended, and resilience became the buzzword. All of which required a step-change in cyber defence.

Keeping ransomware under wraps 

Cybercriminals successfully exploited the rising fear around COVID-19, highlighting their adaptability in moments of crisis by leveraging human curiosity and the desire to know more – usually through spear phishing or exploiting public-facing applications. Microsoft’s intelligence shows that every country in the world experienced a Covid-themed attack, with China, the US, and Russia being the hardest hit.

Ransomware is the main cause of incidents according to Microsoft’s Detection and Response Team (DART). It highlights the increasing use of open-source tools like Cobalt Strike, MimiKatz, ProcessHacker, and LaZagne to initiate attacks that ultimately deliver ransomware payloads.  

Businesses can protect themselves by staying on top of security improvements and fixes. Ensuring that apps or platforms are using the most up-to-date versions, including patches for existing VPN architectures is key. The report highlights the vulnerability of network devices like gateways and VPNs, as ransomware operators and nation state actors make them a practical target for intrusion. Applying all available security updates for VPN and firewall configurations is therefore essential.

Microsoft advises organisations to monitor and pay special attention to remote access infrastructure, with any detections from security products or anomalies found in event logs to be investigated immediately. Since lateral movement is almost always the goal here (as criminals poke around for access to privileged user accounts), monitoring your Active Directory (AD) for changes and unusual activity is also critical. Which brings us to our next point…

What the MFA? Keeping Active Directory breaches at bay

Cybercriminals and nation state actors like THALLIUM are well versed in harvesting credentials. For many, the addition of remote work created a perfect storm of security challenges. But Microsoft puts the success of its transition down to a Zero Trust architecture – assuming a request is a breach regardless of where it originates – which means multifactor authentication, ubiquitous device management, and conditional access reinforcement. But people are just as fundamental when it comes to improving security.

Firstly, not only did Microsoft identify a two-fold increase in multifactor authentication requests once COVID hit, but the majority of accounts that were compromised did not have multifactor authentication enabled. Cybercriminals clearly took advantage of the chaos of a newly remote workforce, using it as a veil for identity-based attacks. Disabling legacy authentication and enabling multifactor authentication is absolutely essential. MFA-enabled businesses experience 67% fewer compromises.

With the extension of the work perimeter beyond the usual enterprise to the home and often personal devices, extending device management rules is also vital – as is requiring employees to opt in to MFA setups.

Hijacking the cloud: credential phishing?

Email phishing has become a dominant vector, with fraudulent emails enticing potential victims to click on bad links that essentially grant access to personal information. In 2019, Microsoft blocked 13 billion malicious and suspicious emails, more than a million of which were URL-based threats seeking to obtain credentials. The result is approximately two million URL payloads being created for credential harvesting each month.

Interestingly, attack techniques have evolved as cybercriminals look to evade detection. They increasingly hide among reputable cloud services and compromised web hosting infrastructures. Microsoft notes that these services are being leveraged to launch attacks via both email and file sharing. This highlights a shift away from malware attacks which previously brought the greatest revenues.

Microsoft recommends gaining full visibility across a business’ multi-cloud environment – including the IaaS and SaaS layers – so security pros can arm themselves with a complete view of their risk profile. This is achieved by leveraging SIEM tools to collect and analyse signals from all clouds in use, and using a cloud access security broker to audit and control SaaS applications. At the same time, mastering behaviour change within an organisation is key to stopping phishing scams dead in their tracks. As is keeping eyes on your AD security – not least to combat specialist phishing attacks that now validate credentials in real time against the AD.

Staying one step ahead of cybercriminals is a constant battle. These are just four insights ahead of another challenging year for cyber security pros. But hey, surely it can’t possibly be as bad as last year…?

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.


Related Topics

Notify of
Inline Feedbacks
View all comments