This report details the evolving cybersecurity landscape, focusing on increasing threats from nation-state actors, cybercriminals, and the emerging influence of AI. Key findings highlight the convergence of nation-state and criminal activities, with threats such as ransomware, identity attacks, and DDoS increasing in sophistication and scale. The report discusses hybrid warfare tactics, where cyber operations support geopolitical aims, and presents AI's dual role as both a defense tool and an emerging threat. Microsoft’s response initiatives include the Secure Future Initiative to enhance cybersecurity across its operations, focusing on improved data security, resilience, and global collaboration with governments and industry. Recommendations emphasize deterrence through international cooperation, strengthened norms, and public-private partnerships for resilience.
Authors
- Pages
- 114
- Published in
- United States of America
Table of Contents
- Microsoft Digital Defense Report 2024 1
- In this report 2
- Cyber Point of View stories 2
- Overview 3
- About this report 3
- Report scope 3
- Report viewing and navigating 3
- Our commitment to preserving privacy 3
- Threat actor terminology used in this report 3
- Key information 3
- Our commitment to developing technology responsibly 3
- Links 3
- Introduction 4
- Complex, challenging, and increasingly dangerous 4
- Our unique vantage point 6
- Society | Microsoft Stakeholders | Microsoft Customers 7
- Microsoft’s unique vantage point 7
- An extra 13 trillion security signals per day 7
- 1 ,500 unique threat groups tracked 7
- Microsoft’s cybersecurity approach 7
- Microsoft security investments 7
- 34 ,000 dedicated security engineers 7
- Current and emerging threats 7
- Cybersecurity at Microsoft: the CISO’s perspective 8
- Chapter 1 The evolving cyber threat landscape 9
- Key developments 10
- The evolving cyber threat landscape 10
- Blurred lines between nation-state threat actor activity and cybercrime 10
- The many faces of hybrid war 10
- The need to impose deterrent consequences for cyber aggression 10
- 600 million identity attacks per day 10
- Nation-state influence operations converge on elections 10
- 2.75 x increase in human-operated ransomware-linked encounters 10
- Ingenuity and scalability of fraud tactics surging globally 10
- Introduction: The evolving landscape of cybersecurity 11
- Threat actors and motivations 12
- KEY TO MOTIVATIONS MAPPING 12
- Nation-state actors 12
- Russia 12
- China 12
- North Korea 12
- Iran 12
- Influence Operations 12
- Financially motivated 12
- Groups in development 12
- Nation-state threats 13
- Nation-state threat activity by the numbers 13
- The Education and Research sector became the second most targeted by nation-state threat actors 13
- Top 10 targeted sectors worldwide 13
- Nation-state threat actor targeting 14
- Regional sample of activity levels observed 14
- Russia 15
- Targeting by region 15
- Most targeted sectors 15
- China 15
- Targeting by region 15
- Most targeted sectors 15
- Iran 16
- Targeting by region 16
- Most targeted sectors 16
- North Korea 16
- Targeting by region 16
- Most targeted sectors 16
- Cyber Point of View: Japan 17
- Japan’s new Defense Whitepaper outlines its cybersecurity measures 17
- Blurring lines between nation-state threat actors and cybercriminals 18
- The many faces of hybrid war 19
- How Iran is using cyber-enabled influence operations to degrade Israel 19
- Iran’s most targeted countries prior to the Israel-Hamas conflict (July–October 2023) 19
- Iran’s most targeted countries after the start of the Israel-Hamas conflict (October 2023–June 2024) 19
- Russia’s wide-reaching tactics for spying on Ukraine’s military and its allies 20
- Daily count of Aqua Blizzard malware detections 20
- Midnight Blizzard threatens IT supply chain 20
- Midnight Blizzard’s most targeted sectors 20
- Operational technology (OT) systems are at risk in hybrid warfare 21
- Links 21
- Distribution of internet-exposed Unitronics controllers communicating over PCOM protocol as of June 2024 21
- Chinese cyber threat activity in and around the South China Sea 22
- Chinese threat actors target military and IT entities in the South China Sea 22
- Deterring the most advanced threats 23
- Cyber Point of View: Australia 24
- The power of public/private partnerships 24
- Links 24
- Election interference 25
- Nation-state threat actors and elections 25
- Russia, Iran, and China influence efforts converge on US election 25
- Election-related influence operations timeline 26
- Links 26
- Elections create another opportunity for impersonation threats 27
- Examples of homoglyph techniques 27
- Actionable Insights 27
- Ransomware 28
- Landscape and trends 28
- Top human-operated ransomware groups 28
- Organizations with ransom-linked encounters continues to increase while the percentage of those ransomed is decreasing (July 2022–June 2024) 28
- How cybercriminals are tampering with security products 29
- Actionable Insights 29
- Links 29
- Octo Tempest: a case study and a cautionary tale 30
- Tactics, techniques, and procedures used by Octo Tempest 30
- Initial access 30
- Discovery 30
- Credential access, lateral movement 30
- Defense evasion, execution 30
- Persistence 30
- Actions on objective 30
- Disrupting ransomware threat actors 31
- Links 31
- Cyber Point of View: Israel 31
- Combatting ransomware collectively 31
- Fraud 32
- Landscape and trends 32
- The ever-growing threat of cyber-enabled financial fraud 33
- Novel trends and nightmare scenarios in the world of e-commerce 34
- Actionable Insights 34
- Phishing 35
- Top email phishing types 35
- QR code phishing 35
- Links 35
- Business email compromise (BEC) 36
- Other noteworthy post-compromise behaviors observed 36
- Top post-compromise BEC behaviors 36
- Actionable Insights 36
- Impersonation 37
- Deepfakes 37
- Sectors impersonated in consumer phish 37
- Corporate impersonation 37
- Actionable Insights 37
- Links 37
- The dire state of techscam 38
- Actionable Insights 38
- Daily malicious traffic volume (millions) 38
- Account takeovers (ATOs) 39
- Confirmed ATOs in Azure Small Business segment 39
- Actionable Insights 39
- Links 39
- Identity and social engineering 40
- Insights on identity attacks and trends 40
- Attacks on identity infrastructure in the spotlight 40
- Actionable Insights 40
- Threat actors are bypasssing MFA, using innovative AiTM phishing attacks and token theft 41
- Actionable Insights 41
- Exploiting applications to access high-value resources 41
- Actionable Insights 41
- Identity attacks in perspective 42
- MFA attacks 42
- Post-authentication attacks 42
- Infrastructure compromise 42
- Security to the max: the optimal mindset for security professionals 43
- Technical debt makes maintaining a secure environment challenging 43
- “Secure by default” settings reduce identity compromises 44
- Actionable Insights 44
- MFA adoption: percentage of Entra ID monthly active users signing in with MFA 44
- Social engineering “next generation” 45
- Teams and Skype phishing 45
- SIM swapping 45
- Helpdesk social engineering 46
- How easy is it to carry out different types of social engineering attacks? 46
- EASY 46
- MEDIUM 46
- HARD 46
- Links 46
- Actionable Insights 46
- AiTM credential phishing 47
- Stormy skies: the rise of cloud identity compromise 48
- Links 48
- Cloud identity compromise 48
- Links 49
- Cloud identity abuse preparedness 49
- Actionable Insights 49
- Cyber Point of View: Canada 50
- How Canada is boosting security by investing in innovation and partnerships 50
- DDoS: Stealthier threats emerge 51
- Attack landscape 51
- A new threat: Application loop attacks 51
- Number of network DDoS attacks (January-June 2024) 52
- Actionable Insights 52
- Cyber Point of View: India 53
- DDoS attacks on the rise in India 53
- Daily number of attacks targeting the APAC region (February-June 2024) 53
- Actionable Insights 53
- Chapter 2 Centering our organizations on security 54
- Key developments 55
- Centering our organizations on security 55
- The Secure Future Initiative (SFI) 55
- Security stories from critical infrastructure frontlines 55
- Taking a threat-informed approach to defense 55
- Best practices for robust cybersecurity governance and accountability 55
- Hierarchical pyramid of cybersecurity needs 55
- Generative AI is fueling the need for data security policy implementation 55
- Collective action through deeper partnerships between industry and governments 55
- Supporting democratic elections 55
- Introduction: Tackling technical debt and shadow IT for a secure future 56
- Clearing out technical debt 56
- Putting security above all else 57
- Links 57
- Strategic approaches to cybersecurity: “Managing your own house” 58
- Data security 58
- Key components of an effective data security strategy 58
- An integrated approach to data security 58
- How generative AI is fueling the need for data security policy implementation 58
- Links 58
- Harnessing generative AI to define your data perimeter 59
- Readiness levels: Protecting and governing data while benefitting from generative AI 59
- 1 Prepare data 59
- 2 Limited implementation 59
- 3 Used to enhance productivity 59
- 4 Driving force for innovation 59
- Links 59
- Cyber Point of View: Sweden 60
- Using the cloud to protect against ransom attacks 60
- Hierarchy of cybersecurity needs 61
- AUTOMATE SECURITY OPERATIONS 61
- IMPACT… 61
- DETECT AND REMEDIATE THREATS 61
- IMPACT… 61
- SECURE DIGITAL ASSETS 61
- IMPACT… 61
- PROTECT ENDPOINTS 61
- IMPACT… 61
- PROTECT IDENTITIES 61
- IMPACT… 61
- Threat-informed defense 62
- Thinking differently to address threats 62
- The Silo Effect 62
- Pre-breach attack path analysis 63
- Single pane of glass 63
- Critical asset management 63
- Attack path management 63
- Links 63
- Attack path insights for threat-informed defense (June 2024) 63
- Optimizing governance and accountability 64
- Key elements should include: 64
- Avoiding blame. 64
- Making sure learnings or issues don’t slip through the cracks. 64
- Sharing responsibility. 64
- Requiring cross-team training and learning. 64
- Tips to build security literacy: 64
- Make it personal and human. 64
- Make it clear. 64
- Make it engaging and fun. 64
- Make it easy. 64
- Security incident decisions: Dispatches from the field 65
- Security incident decisions 65
- Preparation 65
- Communication 65
- Execution 65
- Preparation 65
- Communication 65
- Execution 65
- The following are the most common challenges we encountered during IR engagements: 66
- Links 66
- Cyber Point of View: Latin America 66
- Tough lessons for board members about cybersecurity 66
- Resilience maturity 67
- Operational 67
- For day-to-day IT operations, good preparation and maturity can ensure that an organization has good visibility of its estate, documented reliable playbooks, and rapid response capabilities based on automation. 67
- Readiness 67
- Prepare for a cybersecurity incident. 67
- Tactical 67
- Prepare for initial response to an incident to respond logically and efficiently. 67
- Strategic 67
- Take steps to improve overall security posture in the longer term. 67
- Supporting the ecosystem 68
- The passkey journey: a story of collaboration across the industry 68
- Actionable Insights 68
- Links 68
- Cyber Point of View: France 69
- Enhancing France’s cybersecurity workforce 69
- Links 69
- Critical environments 70
- Security stories from the frontline of OT 70
- A three-step action plan: insights from testing OT applications 70
- Types of OT systems in datacenters 70
- Inherent risks of vulnerabilities in OT equipment 71
- Emerging challenges and trends 71
- Categorizing the vulnerabilities 72
- The challenges of securing OT networking protocols 73
- Network security of embedded devices 73
- Actionable Insights 73
- Cyber Point of View: Africa 74
- Increasing the cyber resilience of emerging economies 74
- Links 74
- Managing software and firmware updates in the critical infrastructure environment 75
- Difficulties in updating software in the OT environment 75
- Managing the OT software supply chain 76
- Actionable Insights 76
- Datacenter outages caused by firmware version mismatch 76
- Experiences with fully-managed device updates 77
- Key steps included: 77
- Links 77
- Collective action 78
- The digital transformation of defense and a call for partnership 78
- RAISE: The Roundtable for AI, Security, and Ethics 78
- Links 79
- How Microsoft helps support democratic elections 80
- Microsoft is also helping protect the online environment surrounding elections by: 81
- Defending the information environment 81
- Protecting data 81
- Identifying and responding to threats 81
- Links 81
- Cyber Point of View: UK 82
- A continuously improving security partnership 82
- Links 82
- Chapter 3 Early insights: AI’s impact on cybersecurity 83
- Key developments 84
- Early insights: AI’s impact on cybersecurity 84
- AI-enabled human targeting 84
- Emerging threat actor techniques 84
- Governments and industries working to advance global AI security 84
- Nation-state threat actors are using AI for influence operations 84
- Limiting foreign influence operations in the modern era 84
- AI for defense 84
- Staying a step ahead of threat actors in the age of AI 84
- Introduction: AI’s impact on cybersecurity 85
- Understanding how generative AI systems work 86
- How Copilots work 86
- Two key insights 87
- 1. Building is easy; testing is hard 87
- 2. Generative AI security is nondeterministic 87
- Links 87
- These attacks are different 87
- They’re nondeterministic: 87
- Map human ideas to generative AI safety 87
- For a person, you might... 87
- For a Copilot, you might... 87
- Emerging threat landscape 88
- The generative AI threat landscape 88
- System threats 88
- Ecosystem threats 89
- Sophisticated AI-enabled human targeting 90
- Targeting high-value individuals 90
- The defensive advantage 90
- The offensive advantage 90
- Emerging techniques in AI enabled attacks 91
- AI-enabled spear phishing and whaling 91
- Links 91
- “Résumé swarming” and steganography 91
- This text visibleto the human eye 91
- “Key words” arevisible only toscreening systems 91
- Deepfakes and other variations on social engineering 91
- Actionable Insights 91
- Nation-state threat actors using AI for influence operations 92
- Adversarial use of AI in influence operations 92
- China-affiliated influence actors favor AI-generated imagery 92
- Russia-affiliated influence actors using audio-focused AI across mediums 93
- Iran-affiliated influence actors are in the early stages of AI integration 93
- Limiting foreign influence operations in the modern era 94
- Limits on targets 94
- Limits on tools and techniques 94
- Links 94
- AI for defense 95
- Harnessing AI to detect cyberattacks 96
- Detecting hidden attacks with AI 96
- Disrupting attacks by combining endpoint detection and response with AI 96
- Extending AI across cybersecurity 96
- AI’s early impact on the security operations center (SOC) 97
- Examples 97
- Seven areas of efficiencies in Microsoft security operations 98
- Using generative AI to understand cyberattacks and create tailored mitigations 100
- Growth in complexity of MITRE ATT&CK tactics and techniques 100
- May 2015 100
- April 2024 Note 59 100
- From categories to context 100
- Rules-based approach 101
- With generative AI 101
- How governments and industries are advancing global AI security 102
- Government approaches to AI security 102
- The United States 103
- The European Union 103
- Other legislative initiatives 103
- Cyber Point of View: Albania 104
- Transparency, advanced technologies, and generative AI to combat malicious state-sponsored cyberattacks 104
- Collaborative policy initiatives for AI security 105
- July 2023 105
- August 2023 105
- November 2023 105
- January 2024 105
- February 2024 105
- March 2024 105
- April 2024 105
- May 2024 105
- June 2024 105
- International standards for AI security 106
- The benefits of international standards 106
- ISO/IEC 42001 106
- ISO/IEC 27090 106
- Actionable Insights 106
- Staying a step ahead of threat actors in the age of AI 107
- Links 107
- Appendix 108
- Additional information 108
- References 109
- Overview 109
- Chapter 1. The evolving cyber threat landscape 109
- Chapter 2. Centering our organizations on security 110
- Chapter 3. Early insights: AI’s impact on cybersecurity 110
- Contributing teams 111