Introduction
Introduction to the report by Tom Burt, Corporate vice president of Customer security and trust
English |
Once a week, we will send an email update with the new abstracts that came up on the page, and we will be happy to send you as well.
We do not know much more exciting things than you chose to trust us! Now we just have to leave you with everything that is hot and interesting.
Thanks a lot. We'll get back to you soon.
Our site uses cookies technology for functional purposes and the study of usage characteristics. The use of the Site constitutes acceptance of the Terms of Use and the use of cookies.
Introduction to the report by Tom Burt, Corporate vice president of Customer security and trust
Corporate vice president of Customer security and trust
Corporate vice president of Customer security and trust
Welcome to the Microsoft Digital Defense Report 2021 – Audio version.
In order to make it easier for you to acquire the important information this report is holding for you, we created this audio version. I’m Jessica and I’ll be your digital host.
Let’s start.
The introduction chapter to the Digital Defense Report was written by Tom Burt, Corporate vice president of Customer security and trust.
Over the past year the world has borne witness to a burgeoning cybercrime economy and the rapid rise of cybercrime services. We have watched this global market grow in both complexity and fervency. We’ve seen the cyberattack landscape becoming increasingly sophisticated as cybercriminals continue—and even escalate—their activity in times of crisis. New levels of supply chain and ransomware attacks were a powerful reminder that we must all work together, and in new ways, to protect the cybersecurity of the planet.
We see transparency and information sharing as essential to the protection of the ecosystem. Knowledge brings power, and to that end, security professionals need diverse and timely insights into the threats they are defending against.
Microsoft serves billions of customers globally, allowing us to aggregate security data from a broad and diverse spectrum of companies, organizations, and consumers. Informed by over 24 trillion security signals per day, our unique position helps us generate a high-fidelity picture of the current state of cybersecurity, including indicators that help us predict what attackers will do next. Our goal in creating the Microsoft Digital Defense Report is to bring together integrated data and insights from more teams, across more areas of Microsoft than ever before. We will share what we’re seeing to help the global community strengthen the defense of the digital ecosystem, and we will include actionable learnings that companies, governments, and consumers can use to further secure individuals and environments.
The Microsoft Digital Defense Report draws on insights, data, and signals from across Microsoft, including the cloud, endpoints, and the intelligent edge.1 Thousands of Microsoft security experts across 77 countries interpret and contribute to the insights gained from our advanced engineering and threat signals. Our security experts include analysts, researchers, responders, engineers, and data scientists. We also share lessons learned from customers transitioning to a hybrid workforce and frontline stories from our incident responders. Of course, there is malign activity we do not see, some of which is reported on by others in the industry. While the defender community at Microsoft works hard to identify threats and keep our customers informed, the bad actors are skilled and relentless.
By continually sharing insights we and others in the industry derive from the work we do, we hope to empower everyone to defend the online ecosystem more effectively.
Microsoft has made significant and ongoing investments to increase and improve the knowledge we derive from our threat signals. These investments deliver the highly synthesized and integrated insights that we share here. Our goal in aggregating these learnings is to help organizations understand the ways in which cybercriminals are continually shifting their modes of attack—and determine the best ways to combat those attacks. We write and share this report in the spirit of empowering the global community to benefit from the insights, observations, and transparency generated by our unique mission and vantage point.
After entering the number, the mobile send button will be available to you in all items.
![]() |
Microsoft
Our 2021 focus areasFive areas of focus of the yearly report
04:34
Our 2021 focus areas
Let’s explore Our 2021 focus areas: 2021 brought powerful reminders that to protect the future we must understand the threats of the present. This requires that we continually share data and insights in new ways. Certain types of attacks have escalated as cybercriminals change tactics, leveraging current events to take advantage of vulnerable targets and advance their activity through new channels. Change brings opportunity—for both attackers and defenders—and this report will focus on the threats that are most novel and relevant to the community as we look to the months ahead. Looking at the threat landscape, along with data and signals from cross-company teams, five top-level areas emerged as most critical to bring into the sharpest focus in this report: the state of cybercrime; nation state threats; supplier ecosystems, IoT, and operational technology security; the hybrid workforce; and disinformation. To provide the greatest benefit, we also extract our recommendations and actionable learnings, and present them throughout the report and in our concluding chapter. Area number one in our report is the state of cybercrime. The second area this report explores is Nation state threats. The third chapter we have on the line dives into supply chain, IoT, and OT security. The fourth part of our report explores Hybrid workforce security. The fifth chapter of the report addresses the unprecedented disinformation campaigns and related cyber operations by state and non-state actors, impacting public awareness and knowledge as well as enterprise operations. We look at some parallels in cybersecurity and discuss mitigation through media literacy. We include a discussion on disinformation as an enterprise disruptor, providing a four-point plan for enterprise executives. The chapter concludes with an in-depth exploration of political campaign security and election integrity, two areas that have been targeted by disinformation campaigns. Lastly, we open this year’s concluding chapter with a discussion of five paradigm shifts that will center the evolution of work around the inclusivity of people and data. The chapter concludes with a distilled look at the key learnings from all the previous chapters of this report: to minimize impact of attacks we must truly practice good cyber hygiene, implement architectures that support the principles of Zero Trust, and ensure cyber risk management is built into the business.
![]() ![]() We just need your phone...
After entering the number, the mobile send button will be available to you in all items. Send to mobile
After a short one-time registration, all the articles will be opened to you and we will be able to send you the content directly to the mobile (SMS) with a click.
![]() We sent you!
The option to cancel sending by email and mobile Will be available in the sent email.
00:00
![]()
60% Complete
Soon...
|
![]() |
Microsoft
Cybercrime economy and servicesSeeing the cybercrime supply chain consolidate and mature General manager, digital crimes unit
03:09
Cybercrime economy and services
http://summur.ai/lFYVY
Cybercrime economy and services
General manager, digital crimes unit Let’s give a look at cybercrime economy and services. Other examples include selling compromised credentials that may have been obtained from phishing, scraping botnet logs or other credential harvesting techniques, imposter domain names, phishing-as-a-service, customized lead generation, loads, denial of serviceand more. As an illustration, in some marketplaces, compromised credentials are offered by different sellers for $1.00 USD to $50.00 USD, depending on a variety of variables including the perceived value of the enterprise target. The number of sites offering services has significantly increased in the past 12 months as well as volume of credentials and variety of phishing kits. Among the services available to even amateur threat actors are the cryptocurrency escrow services that we often see in commodity ransomware campaigns where affiliate models have become firmly established. Nontechnical cybercriminals sign up with a ransomware affiliate where for 30% of the revenue, the affiliate network will supply the ransomware, recovery services, and payment services. The attacker then buys “loads” from a market and pushes the ransomware to the loads they purchased. They then sit back and collect their revenue. At times there are geographic groups of actors who may offer certain services, but most of these cybercrime markets are global in nature. A buyer in Brazil can obtain phishing kits from a seller in Pakistan, domains from the United States, victim leads from Nigeria, and proxies from Romania. These prices have remained fairly steady over the past several years, but like any other market they vary according to changes in supply, demand, and externalities such as politics. There are three Key takeaways for you here:
![]() Amy Hogan-Burney
General manager, digital crimes unit
![]() We just need your phone...
After entering the number, the mobile send button will be available to you in all items. Send to mobile
After a short one-time registration, all the articles will be opened to you and we will be able to send you the content directly to the mobile (SMS) with a click.
![]() We sent you!
The option to cancel sending by email and mobile Will be available in the sent email.
00:00
![]()
60% Complete
Soon...
|
Five areas of focus of the yearly report
Let’s explore Our 2021 focus areas:
2021 brought powerful reminders that to protect the future we must understand the threats of the present. This requires that we continually share data and insights in new ways. Certain types of attacks have escalated as cybercriminals change tactics, leveraging current events to take advantage of vulnerable targets and advance their activity through new channels. Change brings opportunity—for both attackers and defenders—and this report will focus on the threats that are most novel and relevant to the community as we look to the months ahead.
Looking at the threat landscape, along with data and signals from cross-company teams, five top-level areas emerged as most critical to bring into the sharpest focus in this report: the state of cybercrime; nation state threats; supplier ecosystems, IoT, and operational technology security; the hybrid workforce; and disinformation. To provide the greatest benefit, we also extract our recommendations and actionable learnings, and present them throughout the report and in our concluding chapter.
Area number one in our report is the state of cybercrime.
In this chapter, we discuss new developments in the cybercrime economy and the growing market for cybercrime services. We provide updates and analysis of what we are seeing in ransomware and extortion, phishing and other malicious email, malware, and the use of domains by cybercriminals, presenting recommendations for mitigating risk in each area. Finally, we share what we’re seeing in adversarial machine learning and what we are doing to stay ahead of cybercriminals in this area.
The second area this report explores is Nation state threats.
This chapter provides an update on what we’re seeing in nation state adversarial activity, including reports on seven activity groups we have not previously mentioned publicly. We provide an analysis of the evolving threats in this watershed year with an increased focus on on-premises servers and the exposure of widespread supply chain vulnerabilities. We conclude with a discussion about private sector offensive actors and our guidance for comprehensive protections.
The third chapter we have on the line dives into supply chain, IoT, and OT security.
The highly publicized events of the last year have made clear that securing and managing risks associated with supplier ecosystems is critically important. This chapter covers some current challenges in doing so in the supplier ecosystem and presents how Microsoft thinks about end-to-end supply chain security in nine investment areas. Then we turn our discussion to what we’re seeing in the IoT and OT threat landscape, with guidance on the properties of highly secured devices. We include specialized use cases of IoT and present some new research informing IoT policy considerations.
The fourth part of our report explores Hybrid workforce security.
This chapter is about our greatest asset, our people. As we have moved to a hybrid workforce over the past year, we’ve seen developments in the threat landscape which point to the importance of adopting a Zero Trust approach. We include threat signals and other data across the six pillars of Zero Trust—identities, endpoints, applications, network, infrastructure, and data—and provide guidance based on what we’re seeing. We conclude with discussions about insider threats in hybrid work environments, and an empathy imperative for managing the new and significant challenges encountered by today’s workforce.
The fifth chapter of the report addresses the unprecedented disinformation campaigns and related cyber operations by state and non-state actors, impacting public awareness and knowledge as well as enterprise operations. We look at some parallels in cybersecurity and discuss mitigation through media literacy. We include a discussion on disinformation as an enterprise disruptor, providing a four-point plan for enterprise executives. The chapter concludes with an in-depth exploration of political campaign security and election integrity, two areas that have been targeted by disinformation campaigns.
Lastly, we open this year’s concluding chapter with a discussion of five paradigm shifts that will center the evolution of work around the inclusivity of people and data. The chapter concludes with a distilled look at the key learnings from all the previous chapters of this report: to minimize impact of attacks we must truly practice good cyber hygiene, implement architectures that support the principles of Zero Trust, and ensure cyber risk management is built into the business.
After entering the number, the mobile send button will be available to you in all items.
General manager, digital crimes unit
General manager, digital crimes unit
Let’s give a look at cybercrime economy and services.
Through our investigations of online organized crime networks, frontline investigations of customer attacks, security and attack research, nation state threat tracking, and security tool development, we continue to see the cybercrime supply chain consolidate and mature. It used to be that cybercriminals had to develop all the technology for their attacks. Today, they rely on a mature supply chain, where specialists create cybercrime kits and services that other actors buy and incorporate into their campaigns. With the increased demand for these services, an economy of specialized services has surfaced, and threat actors are increasing automation to drive down their costs and increase scale. For example, we are seeing an increasing offer of backconnect proxies in addition to RDP, SSH, VPN, VPS, web shells, cPanels and other anonymization systems.
Other examples include selling compromised credentials that may have been obtained from phishing, scraping botnet logs or other credential harvesting techniques, imposter domain names, phishing-as-a-service, customized lead generation, loads, denial of serviceand more. As an illustration, in some marketplaces, compromised credentials are offered by different sellers for $1.00 USD to $50.00 USD, depending on a variety of variables including the perceived value of the enterprise target. The number of sites offering services has significantly increased in the past 12 months as well as volume of credentials and variety of phishing kits.
Among the services available to even amateur threat actors are the cryptocurrency escrow services that we often see in commodity ransomware campaigns where affiliate models have become firmly established. Nontechnical cybercriminals sign up with a ransomware affiliate where for 30% of the revenue, the affiliate network will supply the ransomware, recovery services, and payment services. The attacker then buys “loads” from a market and pushes the ransomware to the loads they purchased. They then sit back and collect their revenue.
At times there are geographic groups of actors who may offer certain services, but most of these cybercrime markets are global in nature. A buyer in Brazil can obtain phishing kits from a seller in Pakistan, domains from the United States, victim leads from Nigeria, and proxies from Romania.
These prices have remained fairly steady over the past several years, but like any other market they vary according to changes in supply, demand, and externalities such as politics.
There are three Key takeaways for you here:
After entering the number, the mobile send button will be available to you in all items.
|
MicrosoftOur 2021 focus areas |
04:34
|
Our 2021 focus areas
Let’s explore Our 2021 focus areas: 2021 brought powerful reminders that to protect the future we must understand the threats of the present. This requires that we continually share data and insights in new ways. Certain types of attacks have escalated as cybercriminals change tactics, leveraging current events to take advantage of vulnerable targets and advance their activity through new channels. Change brings opportunity—for both attackers and defenders—and this report will focus on the threats that are most novel and relevant to the community as we look to the months ahead. Looking at the threat landscape, along with data and signals from cross-company teams, five top-level areas emerged as most critical to bring into the sharpest focus in this report: the state of cybercrime; nation state threats; supplier ecosystems, IoT, and operational technology security; the hybrid workforce; and disinformation. To provide the greatest benefit, we also extract our recommendations and actionable learnings, and present them throughout the report and in our concluding chapter. Area number one in our report is the state of cybercrime. The second area this report explores is Nation state threats. The third chapter we have on the line dives into supply chain, IoT, and OT security. The fourth part of our report explores Hybrid workforce security. The fifth chapter of the report addresses the unprecedented disinformation campaigns and related cyber operations by state and non-state actors, impacting public awareness and knowledge as well as enterprise operations. We look at some parallels in cybersecurity and discuss mitigation through media literacy. We include a discussion on disinformation as an enterprise disruptor, providing a four-point plan for enterprise executives. The chapter concludes with an in-depth exploration of political campaign security and election integrity, two areas that have been targeted by disinformation campaigns. Lastly, we open this year’s concluding chapter with a discussion of five paradigm shifts that will center the evolution of work around the inclusivity of people and data. The chapter concludes with a distilled look at the key learnings from all the previous chapters of this report: to minimize impact of attacks we must truly practice good cyber hygiene, implement architectures that support the principles of Zero Trust, and ensure cyber risk management is built into the business.
![]() ![]() We just need your phone...
After entering the number, the mobile send button will be available to you in all items. Send to mobile
After a short one-time registration, all the articles will be opened to you and we will be able to send you the content directly to the mobile (SMS) with a click.
![]() We sent you!
The option to cancel sending by email and mobile Will be available in the sent email.
00:00
![]()
60% Complete
|
|
MicrosoftCybercrime economy and services |
03:09
|
Cybercrime economy and services
http://summur.ai/lFYVY
Cybercrime economy and services
General manager, digital crimes unit Let’s give a look at cybercrime economy and services. Other examples include selling compromised credentials that may have been obtained from phishing, scraping botnet logs or other credential harvesting techniques, imposter domain names, phishing-as-a-service, customized lead generation, loads, denial of serviceand more. As an illustration, in some marketplaces, compromised credentials are offered by different sellers for $1.00 USD to $50.00 USD, depending on a variety of variables including the perceived value of the enterprise target. The number of sites offering services has significantly increased in the past 12 months as well as volume of credentials and variety of phishing kits. Among the services available to even amateur threat actors are the cryptocurrency escrow services that we often see in commodity ransomware campaigns where affiliate models have become firmly established. Nontechnical cybercriminals sign up with a ransomware affiliate where for 30% of the revenue, the affiliate network will supply the ransomware, recovery services, and payment services. The attacker then buys “loads” from a market and pushes the ransomware to the loads they purchased. They then sit back and collect their revenue. At times there are geographic groups of actors who may offer certain services, but most of these cybercrime markets are global in nature. A buyer in Brazil can obtain phishing kits from a seller in Pakistan, domains from the United States, victim leads from Nigeria, and proxies from Romania. These prices have remained fairly steady over the past several years, but like any other market they vary according to changes in supply, demand, and externalities such as politics. There are three Key takeaways for you here:
![]() Amy Hogan-Burney
General manager, digital crimes unit
![]() We just need your phone...
After entering the number, the mobile send button will be available to you in all items. Send to mobile
After a short one-time registration, all the articles will be opened to you and we will be able to send you the content directly to the mobile (SMS) with a click.
![]() We sent you!
The option to cancel sending by email and mobile Will be available in the sent email.
00:00
![]()
60% Complete
|
We’d love to hear your thoughts.
We are happy to learn and improve for you.