Microsoft Digital Defense Report 2021

Let’s explore Our 2021 focus areas:

2021 brought powerful reminders that to protect the future we must understand the threats of the present. This requires that we continually share data and insights in new ways. Certain types of attacks have escalated as cybercriminals change tactics, leveraging current events to take advantage of vulnerable targets and advance their activity through new channels. Change brings opportunity—for both attackers and defenders—and this report will focus on the threats that are most novel and relevant to the community as we look to the months ahead.

Looking at the threat landscape, along with data and signals from cross-company teams, five top-level areas emerged as most critical to bring into the sharpest focus in this report: the state of cybercrime; nation state threats; supplier ecosystems, IoT, and operational technology security; the hybrid workforce; and disinformation. To provide the greatest benefit, we also extract our recommendations and actionable learnings, and present them throughout the report and in our concluding chapter.

Area number one in our report is the state of cybercrime.
In this chapter, we discuss new developments in the cybercrime economy and the growing market for cybercrime services. We provide updates and analysis of what we are seeing in ransomware and extortion, phishing and other malicious email, malware, and the use of domains by cybercriminals, presenting recommendations for mitigating risk in each area. Finally, we share what we’re seeing in adversarial machine learning and what we are doing to stay ahead of cybercriminals in this area.

The second area this report explores is Nation state threats.
This chapter provides an update on what we’re seeing in nation state adversarial activity, including reports on seven activity groups we have not previously mentioned publicly. We provide an analysis of the evolving threats in this watershed year with an increased focus on on-premises servers and the exposure of widespread supply chain vulnerabilities. We conclude with a discussion about private sector offensive actors and our guidance for comprehensive protections.

The third chapter we have on the line dives into supply chain, IoT, and OT security.
The highly publicized events of the last year have made clear that securing and managing risks associated with supplier ecosystems is critically important. This chapter covers some current challenges in doing so in the supplier ecosystem and presents how Microsoft thinks about end-to-end supply chain security in nine investment areas. Then we turn our discussion to what we’re seeing in the IoT and OT threat landscape, with guidance on the properties of highly secured devices. We include specialized use cases of IoT and present some new research informing IoT policy considerations.

The fourth part of our report explores Hybrid workforce security.
This chapter is about our greatest asset, our people. As we have moved to a hybrid workforce over the past year, we’ve seen developments in the threat landscape which point to the importance of adopting a Zero Trust approach. We include threat signals and other data across the six pillars of Zero Trust—identities, endpoints, applications, network, infrastructure, and data—and provide guidance based on what we’re seeing. We conclude with discussions about insider threats in hybrid work environments, and an empathy imperative for managing the new and significant challenges encountered by today’s workforce.

The fifth chapter of the report addresses the unprecedented disinformation campaigns and related cyber operations by state and non-state actors, impacting public awareness and knowledge as well as enterprise operations. We look at some parallels in cybersecurity and discuss mitigation through media literacy. We include a discussion on disinformation as an enterprise disruptor, providing a four-point plan for enterprise executives. The chapter concludes with an in-depth exploration of political campaign security and election integrity, two areas that have been targeted by disinformation campaigns.

Lastly, we open this year’s concluding chapter with a discussion of five paradigm shifts that will center the evolution of work around the inclusivity of people and data. The chapter concludes with a distilled look at the key learnings from all the previous chapters of this report: to minimize impact of attacks we must truly practice good cyber hygiene, implement architectures that support the principles of Zero Trust, and ensure cyber risk management is built into the business.

Let’s give a look at cybercrime economy and services.

Through our investigations of online organized crime networks, frontline investigations of customer attacks, security and attack research, nation state threat tracking, and security tool development, we continue to see the cybercrime supply chain consolidate and mature. It used to be that cybercriminals had to develop all the technology for their attacks. Today, they rely on a mature supply chain, where specialists create cybercrime kits and services that other actors buy and incorporate into their campaigns. With the increased demand for these services, an economy of specialized services has surfaced, and threat actors are increasing automation to drive down their costs and increase scale. For example, we are seeing an increasing offer of backconnect proxies in addition to RDP, SSH, VPN, VPS, web shells, cPanels and other anonymization systems.

Other examples include selling compromised credentials that may have been obtained from phishing, scraping botnet logs or other credential harvesting techniques, imposter domain names, phishing-as-a-service, customized lead generation, loads, denial of serviceand more. As an illustration, in some marketplaces, compromised credentials are offered by different sellers for $1.00 USD to $50.00 USD, depending on a variety of variables including the perceived value of the enterprise target. The number of sites offering services has significantly increased in the past 12 months as well as volume of credentials and variety of phishing kits.

Among the services available to even amateur threat actors are the cryptocurrency escrow services that we often see in commodity ransomware campaigns where affiliate models have become firmly established. Nontechnical cybercriminals sign up with a ransomware affiliate where for 30% of the revenue, the affiliate network will supply the ransomware, recovery services, and payment services. The attacker then buys “loads” from a market and pushes the ransomware to the loads they purchased. They then sit back and collect their revenue.

At times there are geographic groups of actors who may offer certain services, but most of these cybercrime markets are global in nature. A buyer in Brazil can obtain phishing kits from a seller in Pakistan, domains from the United States, victim leads from Nigeria, and proxies from Romania.

These prices have remained fairly steady over the past several years, but like any other market they vary according to changes in supply, demand, and externalities such as politics.

There are three Key takeaways for you here:

• First one is the understanding that identity and password phishing attacks are cheap, and on the rise. Why would an attacker break in when they can log in?
  
  
• Second is that distributed denial of service attacks are cheap and would cost around $300 per month for unprotected sites.
  
  
• Third insight is that ransomware kits are one of the many types of attack kits designed to enable low-skill attackers to perform more sophisticated attacks.